This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============2313104833346242939== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig22F759A1F92C6235FB80A712"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig22F759A1F92C6235FB80A712 Content-Type: text/plain; charset=ISO-8859- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-1600-1 October 09, 2012
firefox vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS
Summary:
Multiple security issues were fixed in Firefox.
Software Description: - firefox: Mozilla Open Source web browser
Details:
Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and others discovered several memory corruption flaws in Firefox. If a user were tricked into opening a specially crafted web page, a remote attacker could cause Firefox to crash or potentially execute arbitrary code as the user invoking the program. (CVE-2012-3982, CVE-2012-3983, CVE-2012-3988, CVE-2012-3989)
David Bloom and Jordi Chancel discovered that Firefox did not always properly handle the <select> element. A remote attacker could exploit this to conduct URL spoofing and clickjacking attacks. (CVE-2012-3984)
Collin Jackson discovered that Firefox did not properly follow the HTML5 specification for document.domain behavior. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via javascript execution. (CVE-2012-3985)
Johnny Stenback discovered that Firefox did not properly perform security checks on tests methods for DOMWindowUtils. (CVE-2012-3986)
Alice White discovered that the security checks for GetProperty could be bypassed when using JSAPI. If a user were tricked into opening a specially crafted web page, a remote attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2012-3991)
Mariusz Mlynski discovered a history state error in Firefox. A remote attacker could exploit this to spoof the location property to inject script or intercept posted data. (CVE-2012-3992)
Mariusz Mlynski and others discovered several flays in Firefox that allowed a remote attacker to conduct cross-site scripting (XSS) attacks. (CVE-2012-3993, CVE-2012-3994, CVE-2012-4184)
Abhishek Arya, Atte Kettunen and others discovered several memory flaws in Firefox when using the Address Sanitizer tool. If a user were tricked into opening a specially crafted web page, a remote attacker could cause Firefox to crash or potentially execute arbitrary code as the user invoking the program. (CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 LTS: firefox 16.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10: firefox 16.0+build1-0ubuntu0.11.10.1
Ubuntu 11.04: firefox 16.0+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS: firefox 16.0+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-1600-1 CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
Package Information: https://launchpad.net/ubuntu/+source/firefox/16.0+build1-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0+build1-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/firefox/16.0+build1-0ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0+build1-0ubuntu0.10.04.1
--------------enig22F759A1F92C6235FB80A712 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBCgAGBQJQdKfjAAoJEFHb3FjMVZVzraoP/irn0daWMx5GS2V4Bwls1nS7 SNYgw/9yeHm85AdlAgrWCBC6k0vW8iLZLSU1SMELjeS6Bf0Cl0tU18tAx3XiROPk t1YLL3CgOkjg+PvrTIKbZiXJPYYDZk08sPH3G6RJ+DSDzxHRLKlbltPhEi5MqY5q ZIKxnwYb/g2Va5XpWlKOf8z9rGzpnXbKPTT+LiSDSodR+e/Xqo4IxQq12RIDPak/ 3RNxqdv10qwQpzEKtghWKoQ1sTtEWKrqbUP6OHgD/5VRKrDXm4aBSphOBuPjl9AF 9fnBqW+gL1lEYipq00Aw4xoClEwNaFDsihnw68VJHRdVkkeC9AqsR7sf4IaG5AZD R9PlZsCt3OsFpvReqQT1FRxfDa+u3qYGS0TqHin9tG4+mxneefYxhVJnyT49G+ta H8PFvk3bu2kgOoq3ALq8E5xwgPhtX2MiLGdqITJGrSZEjfi3A2afKBe/TDuc+hRq vtMVoQUR1rzyR/Lbkx5RHs0ptSzDE4Vppty1/+gM3WOzQmmR+4d5lbJGZgLPeILr xrzx8hd83kC3tCv1huTuVs2zT7P+DaD0rTKexTItjPtcCC6oCh4d/P+jkXWJIaUG lOGRM40z3K1su6eZLve5Q6diDybI1enlQMcgxSstMNxvV4Iwtr6xWyNuLa062CSg +YYk+keUoXcQEaMc0sae =XGmB -----END PGP SIGNATURE-----
--------------enig22F759A1F92C6235FB80A712--
--===============2313104833346242939== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============2313104833346242939==--
|