Säkerhetsbulletin från Debian
DSA-1797-1 xulrunner -- flera sårbarheter
- Rapporterat den:
- 2009-05-09
- Berörda paket:
- xulrunner
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2009-0652, CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305, CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309, CVE-2009-1311.
- Ytterligare information:
-
Flera utifrån nåbara sårbarheter har upptäckts i Xulrunner, en körtidsmiljö för XUL-applikationer, såsom webbläsaren Iceweasel. Projektet Common Vulnerabilities and Exposures identifierar följande problem:
- CVE-2009-0652
Moxie Marlinspike upptäckte att Unicode-tecken i internationaliserade domännamn kunde användas för phishing-angrepp.
- CVE-2009-1302
Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman och Gary Kwong rapporterade krascher i layoutmotorn, vilka kan tillåta exekvering av godtycklig kod.
- CVE-2009-1303
Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman och Gary Kwong rapporterade krascher i layoutmotorn, vilka kan tillåta exekvering av godtycklig kod.
- CVE-2009-1304
Igor Bukanov och Bob Clary upptäckte krascher i Javascript-motorn, vilka kan tillåta exekvering av godtycklig kod.
- CVE-2009-1305
Igor Bukanov och Bob Clary upptäckte krascher i Javascript-motorn, vilka kan tillåta exekvering av godtycklig kod.
- CVE-2009-1306
Daniel Veditz upptäckte att huvudet Content-Disposition: ignoreras i URI-schemat jar:.
- CVE-2009-1307
Gregory Fleischer upptäckte att samma-ursprungs-policyn för Flash-filer inte upprätthålls korrekt för filer som laddats genom shemat view-source, vilket kan resultera i att policyrestriktioner för korsdomäner kringgås.
- CVE-2009-1308
Cefn Hoile upptäckte att platser som tillåter inbäddning av stilmallar från tredje part är sårbara för serveröverskridande skriptangrepp genom XBL-bindningar.
- CVE-2009-1309
moz_bug_r_a4
upptäckte att samma-ursprungs-policyn kringgås i Javascript-API:t XMLHttpRequest och XPCNativeWrapper. - CVE-2009-1311
Paolo Amadini upptäckte att felaktig hantering av POST-data när en webbplats sparas med en inbäddad ram kan leda till informationsläckage.
- CVE-2009-1312
Det upptäcktes att Iceweasel tillåter Refresh:-huvuden att omdirigera till Javascript-URI:er, vilket resulterar i serveröverskridande skriptangrepp.
För den stabila utgåvan (Lenny) har dessa problem rättats i version 1.9.0.9-0lenny2.
Precis som nämndes i versionsfakta för Etch, behövdes säkerhetsstödet för Mozilla-produkterna i den gamla stabila utgåvan avslutas innan slutet av den ordinarie livscykeln för säkerhetsarbetet för Etch. Ni uppmanas starkt att uppgradera till den stabila utgåvan eller byta till en webbläsare som fortfarande stöds.
För den instabila utgåvan (Sid) har dessa problem rättats i version 1.9.0.9-1.
Vi rekommenderar att ni uppgraderar era xulrunner-paket.
- CVE-2009-0652
- Rättat i:
-
Debian GNU/Linux 5.0 (lenny)
- Källkod:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9-0lenny2.diff.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9.orig.tar.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9-0lenny2.dsc
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.9.orig.tar.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.9-0lenny2_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.9-0lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.9-0lenny2_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.