Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Xulrunnner
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Xulrunnner
ID: USN-1353-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 10.10
Datum: Mi, 8. Februar 2012, 17:31
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0449
Applikationen: Xulrunnner

Originalnachricht


--===============8703977643103201997==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-G8aO1GV0uKt72gn41rKb"


--=-G8aO1GV0uKt72gn41rKb
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1353-1
February 08, 2012

xulrunner-1.9.2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Xulrunner.

Software Description:
- xulrunner-1.9.2: Mozilla Gecko runtime environment

Details:

Jesse Ruderman and Bob Clary discovered memory safety issues affecting the
Gecko Browser engine. If the user were tricked into opening a specially
crafted page, an attacker could exploit these to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Xulrunner. (CVE-2012-0442)

It was discovered that the Gecko Browser engine did not properly handle
node removal in the DOM. If the user were tricked into opening a specially
crafted page, an attacker could exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Xulrunner. (CVE-2011-3659)

It was discovered that memory corruption could occur during the decoding of
Ogg Vorbis files. If the user were tricked into opening a specially crafted
file, an attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the privileges of the
user invoking Xulrunner. (CVE-2012-0444)

Nicolas Gregoire and Aki Helin discovered that when processing a malformed
embedded XSLT stylesheet, Xulrunner can crash due to memory corruption. If
the user were tricked into opening a specially crafted page, an attacker
could exploit this to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Xulrunner.
(CVE-2012-0449)

Gregory Fleischer discovered that requests using IPv6 hostname syntax
through certain proxies might generate errors. An attacker might be able to
use this to read sensitive data from the error messages. (CVE-2011-3670)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
xulrunner-1.9.2 1.9.2.26+build2+nobinonly-0ubuntu0.10.10.1

Ubuntu 10.04 LTS:
xulrunner-1.9.2 1.9.2.26+build2+nobinonly-0ubuntu0.10.04.1

After a standard system update you need to restart Yelp or any other
application based on Xulrunner to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1353-1
CVE-2011-3659, CVE-2011-3659, CVE-2011-3670, CVE-2012-0442,
CVE-2012-0444, CVE-2012-0449

Package Information:
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.26+build2+nobinonly-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.26+build2+nobinonly-0ubuntu0.10.04.1



--Ð8aO1GV0uKt72gn41rKb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJPMp1LAAoJEGVp2FWnRL6TRLkP/34cfwH7r9gi3ROjSQWgifSy
TVzfyVqfvk5GpKmIHkumQOdMC1mkLyDTSCXg4loLt8IBnvmoOZVBfvxUBfThMapT
wNNRbsLrJjLUMRyDlzIKKyZKbne4kgfoAAIRnRrYlrV115Kyvh4wZPfUHXpUYzLe
gdFg+dzAIDGvSrhp2F6vTvj8d9K9piOCB2NigwGopNPp4pWcNs9B1f/nPTGnqmvE
Hgl2s07f474j3TYGtw3cT+Fl7hM5zJR+Y6cz1a1YD6mOcUZ0YtsHZl/wY1/rqlbt
DIhvFCKGgceA+uMHgE9R8o++Vib9XtUq95f1/pVwgZ1uaRVk8KJXp9RIb6D/G6jF
4TxKJUCp9C5pV/3FwT0R/OA3ZoMKWw09+7ht+ylTGBtqm/b86zF5PMnileFnaXnU
ttaHw416YyjscZGAl9pDl0WY+c5OX6Nqk0hzM2EoQxwzS531VYt/wgTHtIJP+wLR
IvJ8tf+Mq/t5k2WglrNzBJz5rhlO2af2YpzPII9mvDFb+uob09sE+e5fLRjmB9t0
39oXm7n904FvzdozVP7JKaOuBHZy3t9mkh8CpFOyMEmNgm12Jb9NN5VnRCUTOf8d
22XuCh9eol3Jv/VtoKYv1mXOPvKpc3Iurtn6s75orkRVdoYBQLlCQP3KdfoQcI3J
Xf+sawv83g2Rlpp50w7P
=ERZJ
-----END PGP SIGNATURE-----

--=-G8aO1GV0uKt72gn41rKb--



--===============8703977643103201997==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============8703977643103201997==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung