Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1999-1] New xulrunner packages fix several vulnerabilit

From Moritz Muehlenhoff@1:229/2 to All on Thu Feb 18 21:10:02 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1999-1 [email protected] http://www.debian.org/security/ Moritz Muehlenhoff February 18, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1571 CVE-2009-3988 CVE-2010-0159 CVE-2010-0160 CVE-2010-0162

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-1571

Alin Rad Pop discovered that incorrect memory handling in the
HTML parser could lead to the execution of arbitrary code.

CVE-2009-3988

Hidetake Jo discovered that the same-origin policy can be
bypassed through window.dialogArguments.

CVE-2010-0159

Henri Sivonen, Boris Zbarsky, Zack Weinberg, Bob Clary, Martijn
Wargers and Paul Nickerson reported crashes in layout engine,
which might allow the execution of arbitrary code.

CVE-2010-0160

Orlando Barrera II discovered that incorrect memory handling in the
implementation of the web worker API could lead to the execution
of arbitrary code.

CVE-2010-0162

Georgi Guninski discovered that the same origin policy can be
bypassed through specially crafted SVG documents.

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.18-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.8-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.18-1.diff.gz
Size/MD5 checksum: 116111 961d458012f83e32e0c3eb153359cc23
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.18.orig.tar.gz
Size/MD5 checksum: 44161859 eeb10647fe0fe9a6b20cb725732b79a9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.18-1.dsc
Size/MD5 checksum: 1755 cbbc2a673c56439890e4c75c0062e06a

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.18-1_all.deb
Size/MD5 checksum: 1465392 7874b2aefed84b79736a44ef0589b3e2

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 3666096 3382b0eae2d985ae9bbcf16014806825
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 432294 c2ec2c14cabb28156734e9e6c96c84c5
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 112122 7d0db4c185015b0ec7caeb1e9843216c
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 163800 e31c406c36c7ea503f772dbebc7039ba
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 938384 af22c500dae1c84c661b0afa62b5fc2c
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 72604 4a6d162a104fd021e52e61bffe28d70e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 223528 ebfeb23f90f207524d2b14c1ab25b742
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 51113942 62902bb1c3c8349090b9055d6efa1482
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.18-1_alpha.deb
Size/MD5 checksum: 9501180 538eb45320247045794a15c4bd1071ac

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 50351080 62a347648f988e78ca90d1d65be9ed13
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 101614 206328a373e5d2992ccb19ed064c8295
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 70008 41913d4df58730fe256a0bd480308d8e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 223086 7eeb2da5ef7f96811b88e6cc97181a99
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 374298 b864e663810235886e5880c494043a01
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 890318 6fe29f796873ccdcfef29a98ca623b9c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 7730124 0ccda6e5dbfac8f7d943b809ea6cb3dd
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 152064 f7f7bc816f78aed6b1afa7a9b42469b4
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.18-1_amd64.deb
Size/MD5 checksum: 3290046 806026ede74d749bc3a900ff56371f18

arm architecture (ARM)

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Bob Worm
  Mon Jun 8 16:33:22 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 14:11:46 2026
  from Wales, Uk via Telnet
- Krenn
  Mon Jun 8 11:22:02 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Mon Jun 8 08:26:26 2026
  from Wales, Uk via Telnet
- Spearb0y
  Mon Jun 8 06:51:02 2026
  from Massachusetts via SSH
- Krenn
  Mon Jun 8 05:45:38 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Sun Jun 7 20:58:28 2026
  from Wales, Uk via Telnet
- Michal Wronka
  Sun Jun 7 19:26:28 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	26:07:47
Calls:	12,106
Calls today:	6
Files:	15,006
Messages:	6,518,191

[SECURITY] [DSA 1999-1] New xulrunner packages fix several vulnerabilit

Who's Online

Recent Visitors

System Info