*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: xulrunner References: DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532) Quoting: "Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-4879 Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. CVE-2008-1233 "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. CVE-2008-1234 "moz_bug_r_a4" discovered that insecure handling of event handlers could lead to cross-site scripting. CVE-2008-1235 Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. CVE-2008-1236 Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2008-1237 "georgi", "tgirmann" and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2008-1238 Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. CVE-2008-1240 Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. CVE-2008-1241 Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks." ** Affects: xulrunner (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-4879 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1233 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1234 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1235 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1236 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1237 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1238 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1240 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1241 -- [xulrunner] [DSA-1532-1] several vulnerabilities https://bugs.launchpad.net/bugs/210155 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs