From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1885-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff September 14, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3070 CVE-2009-3071 CVE-2009-3072 CVE-2009-3074 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3078
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2009-3070
Jesse Ruderman discovered crashes in the layout engine, which
might allow the execution of arbitrary code.
CVE-2009-3071
Daniel Holbert, Jesse Ruderman, Olli Pettay and "toshi" discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.
CVE-2009-3072
Josh Soref, Jesse Ruderman and Martin Wargers discovered crashes
in the layout engine, which might allow the execution of arbitrary
code.
CVE-2009-3074
Jesse Ruderman discovered a crash in the Javascript engine, which
might allow the execution of arbitrary code.
CVE-2009-3075
Carsten Book and "Taral" discovered crashes in the layout engine,
which might allow the execution of arbitrary code.
CVE-2009-3076
Jesse Ruderman discovered that the user interface for installing/
removing PCKS #11 securiy modules wasn't informative enough, which
might allow social engineering attacks.
CVE-2009-3077
It was discovered that incorrect pointer handling in the XUL parser
could lead to the execution of arbitrary code.
CVE-2009-3078
Juan Pablo Lopez Yacubian discovered that incorrent rendering of
some Unicode font characters could lead to spoofing attacks on
the location bar.
For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.14-0lenny1.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.
For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.14-1.
For the experimental distribution, these problems have been fixed in
version 1.9.1.3-1.
We recommend that you upgrade your xulrunner package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14.orig.tar.gz
Size/MD5 checksum: 44131944 c7e120fb285ad462875f11f8071da424
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14-0lenny1.dsc
Size/MD5 checksum: 1779 b631f42a41844e224e6275d98dd44bf2
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14-0lenny1.diff.gz
Size/MD5 checksum: 115910 4d0bc123fd05c050c5b834c6f39f8e4a
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.14-0lenny1_all.deb
Size/MD5 checksum: 1464198 f481e96692d78859d3a6a65721545d99
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 3355164 c636eea6a110a24a559bb28c20a2e8eb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 113034 1b5c67690491fc0e331c98e05fb87051
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 51088250 aa180bd2cdfbf897f2e0ac3560a8cc40
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 71840 a07593d426877325cd152a263f51f2b4
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 165048 43c19aa5d7b0156cf589ed0b6e993910
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 9474266 7040f15c20c7f9877c52cee0886e8975
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 432138 04c093d247605393270b1786dee74d76
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 222980 b000fbdb6e42e72fabbed576ddde1fd8
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_alpha.deb
Size/MD5 checksum: 938160 f09c9e399d94112f1bdb08251f820637
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_amd64.deb
Size/MD5 checksum: 50314830 1d688fe8ca224e126741c2632f906779
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_amd64.deb
Size/MD5 checksum: 890198 8ae5be9340022f9a52a72058db06565c
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_amd64.deb
Size/MD5 checksum: 374060 e421c0e41faa8ae2c7e98da9dd330390
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)