Ubuntu

various outstanding security updates in mozilla universe packages (as of 1.8.1.13)

Reported by disabled.user on 2008-04-01
260
Affects Status Importance Assigned to Milestone
iceape (Ubuntu)
Undecided
Unassigned
Edgy
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
High
Unassigned
Hardy
Undecided
Unassigned
seamonkey (Ubuntu)
High
Unassigned
Edgy
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
High
Unassigned
xulrunner (Ubuntu)
High
Unassigned
Edgy
High
Unassigned
Feisty
High
Unassigned
Gutsy
High
Unassigned
Hardy
High
Unassigned

Bug Description

various security issues that have been disclosed for mozilla products (as of 1.8.1.13 aka ffox 2.0.0.13) are unfixed in ubuntu.

Examples of outstanding issues for xulrunner:

References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)

Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-4879

    Peter Brodersen and Alexander Klink discovered that the
    autoselection of SSL client certificates could lead to users
    being tracked, resulting in a loss of privacy.

CVE-2008-1233

    "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
    CVE-2007-5338 allow the execution of arbitrary code through
    XPCNativeWrapper.

CVE-2008-1234

    "moz_bug_r_a4" discovered that insecure handling of event
    handlers could lead to cross-site scripting.

CVE-2008-1235

    Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
    that incorrect principal handling could lead to cross-site
    scripting and the execution of arbitrary code.

CVE-2008-1236

    Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
    Palmgren discovered crashes in the layout engine, which might
    allow the execution of arbitrary code.

CVE-2008-1237

    "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary
    code.

CVE-2008-1238

    Gregory Fleischer discovered that HTTP Referrer headers were
    handled incorrectly in combination with URLs containing Basic
    Authentication credentials with empty usernames, resulting
    in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

    Gregory Fleischer discovered that web content fetched through
    the jar: protocol can use Java to connect to arbitrary ports.
    This is only an issue in combination with the non-free Java
    plugin.

CVE-2008-1241

    Chris Thomas discovered that background tabs could generate
    XUL popups overlaying the current tab, resulting in potential
    spoofing attacks."

The same CVEs cover iceape:
DSA-1534-1 (http://www.debian.org/security/2008/dsa-1534)

Alexander Sack (asac) wrote :

iceape in gutsy should get a security update.

Changed in iceape:
status: New → Invalid
status: New → Invalid
status: New → Confirmed
status: New → Invalid
Changed in seamonkey:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Alexander Sack (asac) wrote :

seamonkey is already fixed in hardy.

Changed in seamonkey:
importance: Undecided → High
status: New → Fix Released
Changed in iceape:
importance: Undecided → High
Alexander Sack (asac) wrote :

xulrunner needs a security update in edgy, feisty and gutsy.

Changed in xulrunner:
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
Alexander Sack (asac) wrote :

hardy already fixed in 1.8.1.13+nobinonly-0ubuntu1

Changed in xulrunner:
status: New → Fix Released
importance: Undecided → High
description: updated
description: updated
description: updated
Luca Falavigna (dktrkranz) wrote :

Edgy reached EOL on April 25th, 2008.

Changed in xulrunner:
status: Confirmed → Won't Fix

Please could someone mark this as Won't Fix for Feisty?

Hew McLachlan (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in xulrunner:
status: Confirmed → Won't Fix
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in iceape (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in xulrunner (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in iceape (Ubuntu Gutsy):
status: Won't Fix → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers