From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-2075-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff
July 27, 2010
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0182 CVE-2010-0654 CVE-2010-1205 CVE-2010-1208 CVE-2010-1211 CVE-2010-1214 CVE-2010-2751 CVE-2010-2753 CVE-2010-2754
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2010-0182
Wladimir Palant discovered that security checks in XML processing
were insufficiently enforced.
CVE-2010-0654
Chris Evans discovered that insecure CSS handling could lead to
reading data across domain boundaries.
CVE-2010-1205
Aki Helin discovered a buffer overflow in the internal copy of
libpng, which could lead to the execution of arbitrary code.
CVE-2010-1208
"regenrecht" discovered that incorrect memory handling in DOM
parsing could lead to the execution of arbitrary code.
CVE-2010-1211
Jesse Ruderman, Ehsan Akhgari, Mats Palmgren, Igor Bukanov, Gary
Kwong, Tobias Markus and Daniel Holbert discovered crashes in the
layout engine, which might allow the execution of arbitrary code.
CVE-2010-1214
"JS3" discovered an integer overflow in the plugin code, which
could lead to the execution of arbitrary code.
CVE-2010-2751
Jordi Chancel discovered that the location could be spoofed to
appear like a secured page.
CVE-2010-2753
"regenrecht" discovered that incorrect memory handling in XUL
parsing could lead to the execution of arbitrary code.
CVE-2010-2754
Soroush Dalili discovered an information leak in script processing.
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.19-3.
For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.11-1.
For the experimental distribution, these problems have been fixed in
version 1.9.2.7-1.
We recommend that you upgrade your xulrunner packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-3.diff.gz
Size/MD5 checksum: 149955 e6ec4540373a8dfbea5c1e63f5b628b2
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-3.dsc
Size/MD5 checksum: 1755 59f9033377f2450ad114d9ee4367f9c7
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19.orig.tar.gz
Size/MD5 checksum: 44174623 83667df1e46399960593fdd8832e958e
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.19-3_all.deb
Size/MD5 checksum: 1466246 a3b5c8b34df7e2077a5e3c5c0d911b85
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 165496 ad7c134eeadc1a2aa751c289052d32f1
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 433152 57f7a88c05eece5c0ea17517646267bb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 72550 b581302383396b57f7e07aa4564245b3
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 51155444 37595efd28303ec3a88d294b58c1e7aa
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 9487312 452f2c3b26bb249711720ade76e77c3f
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 223422 9ce6e6f35412321405c27618a3550763
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 113478 f4946488381af317acb3bd27da3e372e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 940250 abb2d020d4cce2e5547d17dd94323cee
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.19-3_alpha.deb
Size/MD5 checksum: 3357434 a26b339fee481f1ae5494ee0983e3e75
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.19-3_amd64.deb
Size/MD5 checksum: 50381710 4e6df9133e326ca7fe1d91adab87609b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.19-3_amd64.deb
Size/MD5 checksum: 3291324 01a75923a6b796c2e1f3c02e4584072f
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.19-3_amd64.deb
Size/MD5 checksum: 152266 0a9e05d5e36920cf9cb6c9e39357679b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.19-3_amd64.deb
Size/MD5 checksum: 7735106 eedecb0183cd911bf7416be5f61cf88e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.19-3_amd64.deb
Size/MD5 checksum: 374604 7a71d4ce527727f43225fc1cdc6b3915
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.19-3_amd64.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)