Comment 0 for bug 210155

Binary package hint: xulrunner

References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)

Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-4879

    Peter Brodersen and Alexander Klink discovered that the
    autoselection of SSL client certificates could lead to users
    being tracked, resulting in a loss of privacy.

CVE-2008-1233

    "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
    CVE-2007-5338 allow the execution of arbitrary code through
    XPCNativeWrapper.

CVE-2008-1234

    "moz_bug_r_a4" discovered that insecure handling of event
    handlers could lead to cross-site scripting.

CVE-2008-1235

    Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
    that incorrect principal handling could lead to cross-site
    scripting and the execution of arbitrary code.

CVE-2008-1236

    Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
    Palmgren discovered crashes in the layout engine, which might
    allow the execution of arbitrary code.

CVE-2008-1237

    "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary
    code.

CVE-2008-1238

    Gregory Fleischer discovered that HTTP Referrer headers were
    handled incorrectly in combination with URLs containing Basic
    Authentication credentials with empty usernames, resulting
    in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

    Gregory Fleischer discovered that web content fetched through
    the jar: protocol can use Java to connect to arbitrary ports.
    This is only an issue in combination with the non-free Java
    plugin.

CVE-2008-1241

    Chris Thomas discovered that background tabs could generate
    XUL popups overlaying the current tab, resulting in potential
    spoofing attacks."