From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1956-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff December 16, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3986 CVE-2009-3985 CVE-2009-3984 CVE-2009-3983 CVE-2009-3981 CVE-2009-3979
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2009-3986:
David James discovered that the window.opener property allows Chrome
privilege escalation.
CVE-2009-3985:
Jordi Chanel discovered a spoofing vulnerability of the URL location bar
using the document.location property.
CVE-2009-3984:
Jonathan Morgan discovered that the icon indicating a secure connection
could be spoofed through the document.location property.
CVE-2009-3983:
Takehiro Takahashi discovered that the NTLM implementaion is vulnerable
to reflection attacks.
CVE-2009-3981:
Jesse Ruderman discovered a crash in the layout engine, which might allow
the execution of arbitrary code.
CVE-2009-3979:
Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel and Olli Pettay
discovered crashes in the layout engine, which might allow the execution
of arbitrary code.
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.16-1.
For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.6-1.
We recommend that you upgrade your xulrunner packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.dsc
Size/MD5 checksum: 1755 661a7213945541c3aff7c1225f4a4e4b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16.orig.tar.gz
Size/MD5 checksum: 44158276 49eccba737701abfd9f0405dc91fb848
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.diff.gz
Size/MD5 checksum: 116218 6d5380e0a12ea65cbfa98059641c5b1b
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.16-1_all.deb
Size/MD5 checksum: 1464570 40a5ae6f705fe11bb244e039804233ea
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 51094414 36f539011a5ee228fae0195020709cc7
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 432242 c5110bdb4836a6e20a9b9b8e6959c1e9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 9494198 0139dd56d61b77e77316ab24937df305
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 938424 b52ef8d6a5671df01a179e42379af747
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 72044 2fe658f8d17e1547d7c18d7e382b1c02
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 163948 ee725d4c448ebf6d3c3def1ec0302e8a
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 3651674 4f728529795d19de42ee07c1a994d84e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 221628 578247ecd3b3c21230b272fe446c85b8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 112068 52292e961eea13ac499f0923f8f56afe
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 3288346 c4994fb96c217a3d16d718b919c5488a
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 151976 db96efb00277b2eae199c26b99ea043e
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 69948 db7a93f30248ee123430c0ec8fc51388
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 101544 804243e7ed5e3fadb407f16d9d78f081
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 890384 5dfe153e3eafca3a3590d44692088152
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 374232 dfee7250cbe693362d58228d815b17a1
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 50332174 0c1988f9cff6d4718d0965f6fe2ca00c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 7724684 2ece5643c14ae34a0270d1bb740d0190
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)