Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1840-1] New xulrunner packages fix several vulnerabilit

From Steffen Joeris@1:229/2 to All on Thu Jul 23 12:40:10 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1840-1 [email protected] http://www.debian.org/security/ Steffen Joeris
July 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465
CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2471
CVE-2009-2472

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-2462

Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake
Kaplan disocvered several issues in the browser engine that could
potentially lead to the execution of arbitrary code. (MFSA 2009-34)

CVE-2009-2463

monarch2020 reported an integer overflow in a base64 decoding function.
(MFSA 2009-34)

CVE-2009-2464

Christophe Charron reported a possibly exploitable crash occuring when
multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34)

CVE-2009-2465

Yongqian Li reported that an unsafe memory condition could be created by specially crafted document. (MFSA 2009-34)

CVE-2009-2466

Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book
discovered several issues in the JavaScript engine that could possibly
lead to the execution of arbitrary JavaScript. (MFSA 2009-34)

CVE-2009-2467

Attila Suszter discovered an issue related to a specially crafted Flash
object, which could be used to run arbitrary code. (MFSA 2009-35)

CVE-2009-2469

PenPal discovered that it is possible to execute arbitrary code via a
specially crafted SVG element. (MFSA 2009-37)

CVE-2009-2471

Blake Kaplan discovered a flaw in the JavaScript engine that might allow
an attacker to execute arbitrary JavaScript with chrome privileges.
(MFSA 2009-39)

CVE-2009-2472

moz_bug_r_a4 discovered an issue in the JavaScript engine that could be
used to perform cross-site scripting attacks. (MFSA 2009-40)

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.12-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.12-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12-0lenny1.dsc
Size/MD5 checksum: 1784 2e69bafb336aca4645e1b2412480d646
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12-0lenny1.diff.gz
Size/MD5 checksum: 115977 272c3211139a5bc8b18589b13c2994ff
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12.orig.tar.gz
Size/MD5 checksum: 43962222 60c12321966d292048b4540ef6484661

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.12-0lenny1_all.deb
Size/MD5 checksum: 1463680 bb282df0a8f54e0b9529ea17d6adb2f3

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 936648 2eb64e94b4cc213be6f6cfa8bfdc9a1c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 9489172 d0634164e64df2a81116f0b28b83c9c8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 3650294 22141e833d702cf88f156ee4db656f42
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 51074600 0fa0dabcddaa54a6254e8550c2a4afe0
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 221168 0e9d2c155e31532c784b656ed5388b9e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 431058 8805ccf7e85238ce43dec92147619332
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 111666 80c24b0dfd1a158d34f78e6045b91ca4
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 163552 2e2962e508693791149682cae6cba482
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_alpha.deb
Size/MD5 checksum: 71326 6a9373a92b1fc093e4b7c70069ff67b4

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_amd64.deb
Size/MD5 checksum: 7716828 c16acd4ce667b6c084bdc39a9e096d11
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_amd64.deb
Size/MD5 checksum: 222542 94d525cbb4d54889b70843822c0bdc38
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_amd64.deb
Size/MD5 checksum: 3286630 dff8f78b0ec2d9960834da44667724eb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	151:40:23
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,607

[SECURITY] [DSA 1840-1] New xulrunner packages fix several vulnerabilit

Who's Online

Recent Visitors

System Info