From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1797-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff
May 09, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : xulrunner
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1311
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2009-0652
Moxie Marlinspike discovered that Unicode box drawing characters inside of
internationalised domain names could be used for phishing attacks.
CVE-2009-1302
Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman
and Gary Kwong reported crashes in the in the layout engine, which might
allow the execution of arbitrary code.
CVE-2009-1303
Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman
and Gary Kwong reported crashes in the in the layout engine, which might
allow the execution of arbitrary code.
CVE-2009-1304
Igor Bukanov and Bob Clary discovered crashes in the Javascript engine,
which might allow the execution of arbitrary code.
CVE-2009-1305
Igor Bukanov and Bob Clary discovered crashes in the Javascript engine,
which might allow the execution of arbitrary code.
CVE-2009-1306
Daniel Veditz discovered that the Content-Disposition: header is ignored
within the jar: URI scheme.
CVE-2009-1307
Gregory Fleischer discovered that the same-origin policy for Flash files
is inproperly enforced for files loaded through the view-source scheme,
which may result in bypass of cross-domain policy restrictions.
CVE-2009-1308
Cefn Hoile discovered that sites, which allow the embedding of third-party
stylesheets are vulnerable to cross-site scripting attacks through XBL
bindings.
CVE-2009-1309
"moz_bug_r_a4" discovered bypasses of the same-origin policy in the
XMLHttpRequest Javascript API and the XPCNativeWrapper.
CVE-2009-1311
Paolo Amadini discovered that incorrect handling of POST data when
saving a web site with an embedded frame may lead to information disclosure.
CVE-2009-1312
It was discovered that Iceweasel allows Refresh: headers to redirect
to Javascript URIs, resulting in cross-site scripting.
For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.9-0lenny2.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.
For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.9-1.
We recommend that you upgrade your xulrunner packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9-0lenny2.diff.gz
Size/MD5 checksum: 117026 d09669d48cd57ec9457f027e1cbb6513
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9.orig.tar.gz
Size/MD5 checksum: 43676083 2d15d3f226cf0fc7210eb112cdbd2869
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9-0lenny2.dsc
Size/MD5 checksum: 1785 4dfb97c89b31cc0395fe3e07ace099ad
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.9-0lenny2_all.deb
Size/MD5 checksum: 1483776 a42bf756251f9e3e206ede146db8f956
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 111514 f9b3e0f98e2d20a0b809d21f8cf972e8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 51060838 f7811d5fce5d7a9d9543be65a03cec4b
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 220742 2c1ed1e0ca8e9ca72875c69455559b26
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 9481232 2a10dd4c6875e7c8271fef8ba99dcedb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 428902 03eeed45c2d4ed5197af04aa56a0e7c3
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 3648686 e8dcddf93a00cde658b9098048d77261
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 163408 fea42d292bf78fe08f73d98b2d9e178a
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 933068 ee853413c63b6fe073c58e2701bc00ab
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_alpha.deb
Size/MD5 checksum: 71174 53af8db13e823906067c8385b32b2dcc
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)