Debians sikkerhedsbulletin
DSA-1820-1 xulrunner -- flere sårbarheder
- Rapporteret den:
- 18. jun 2009
- Berørte pakker:
- xulrunner
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1834, CVE-2009-1835, CVE-2009-1836, CVE-2009-1837, CVE-2009-1838, CVE-2009-1839, CVE-2009-1840, CVE-2009-1841.
- Yderligere oplysninger:
-
Flere fjernudnytbare sårbarheder er opdaget i Xulrunner, en runtimemiljø til XUL-applikationer, så som webbrowseren Iceweasel. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:
- CVE-2009-1392
Flere problemer i browsermaskinen er opdaget, hvilke kunne medføre udførelse af vilkårlig kode. (MFSA 2009-24)
- CVE-2009-1832
Det var muligt at udføre vilkårlig kode gennem angrebsvektorer, som involverede
dobbelt frame-konstruktion.
(MFSA 2009-24) - CVE-2009-1833
Jesse Ruderman og Adam Hauner opdagede et problem i JavaScript-maskinen, hvilket kunne føre til udførelse af vilkårlig kode. (MFSA 2009-24)
- CVE-2009-1834
Pavel Cvrcek opdagede at potentielt problem førende til et forfalskningsangreb i placeringsbjælken, relateret til visse ugyldige unicode-tegn. (MFSA 2009-25)
- CVE-2009-1835
Gregory Fleischer opdagede at det var muligt at læse vilkårlige cookier gennem et fabrikeret HTML-dokument. (MFSA 2009-26)
- CVE-2009-1836
Shuo Chen, Ziqing Mao, Yi-Min Wang og Ming Zhang rapporterede om et potentielt manden i midten-angreb, når man anvende en proxy, på grund af utilstrækkelige kontroller på visse proxysvar. (MFSA 2009-27)
- CVE-2009-1837
Jakob Balle og Carsten Eiram rapporterede om en race-tilstand i funktionen NPObjWrapper_NewResolve, hvilket kunne anvendes til at udføre vilkårlig kode. (MFSA 2009-28)
- CVE-2009-1838
moz_bug_r_a4 opdagede at det var muligt at udføre vilkårligt JavaScript med chrome-rettigheder på grund af en fejl i implementeringen af garbage-collection. (MFSA 2009-29)
- CVE-2009-1839
Adam Barth og Collin Jackson rapporterede om en potentiel rettighedsforøgelse når der blev hentet en file::resource gennem placeringsbjælken. (MFSA 2009-30)
- CVE-2009-1840
Wladimir Palant opdagede at det var muligt at omgå adgangsbegrænsninger på grund af manglende indholdspolicykontrol, når der blev indlæst en skriptfil i et XUL-dokument. (MFSA 2009-31)
- CVE-2009-1841
moz_bug_r_a4 rapporterede at det var muligt for skripter fra sideindhold, at køre med forøgede rettigheder og dermed potentielt udføre vilkårlig kode med objektets chrome-rettigheder. (MFSA 2009-32)
I den stabile distribution (lenny), er disse problemer rettet i version 1.9.0.11-0lenny1.
Som angivet i udgivelsesbemærkningerne til etch, var det nødvendigt at lade sikkerhedsunderstøttelsen til Mozilla-produkter ophøre i den gamle stabile distribution, før ophøret af den generelle sikkerhedsunderstøttelse i etch. Du opfordres kraftigt til at opgradere til den stabile distribution eller skifte til en stadig understøttet browser.
I distributionen testing (squeeze), vil disse problemer snart blive rettet.
I den ustabile distribution (sid), er disse problemer rettet i version 1.9.0.11-1.
Vi anbefaler at du opgraderer dine xulrunner-pakker.
- CVE-2009-1392
- Rettet i:
-
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11.orig.tar.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11-0lenny1.diff.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11-0lenny1.dsc
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11-0lenny1.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.11-0lenny1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.11-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.11-0lenny1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.