| 2008-04-01 09:23:18 |
disabled.user |
bug |
|
|
added bug |
| 2008-04-01 09:46:04 |
disabled.user |
bug |
|
|
assigned to iceape (Ubuntu) |
| 2008-04-01 09:47:12 |
disabled.user |
title |
[xulrunner] [DSA-1532-1] several vulnerabilities |
[xulrunner, iceape] [DSA-1532-1, DSA-1534-1] several vulnerabilities |
|
| 2008-04-01 19:46:30 |
Alexander Sack |
bug |
|
|
assigned to iceape (Ubuntu) |
| 2008-04-01 19:47:20 |
Alexander Sack |
iceape: status |
New |
Invalid |
|
| 2008-04-01 19:47:29 |
Alexander Sack |
iceape: status |
New |
Invalid |
|
| 2008-04-01 19:47:45 |
Alexander Sack |
iceape: status |
New |
Confirmed |
|
| 2008-04-01 19:47:54 |
Alexander Sack |
iceape: status |
New |
Invalid |
|
| 2008-04-01 19:48:03 |
Alexander Sack |
seamonkey: status |
New |
Invalid |
|
| 2008-04-01 19:48:11 |
Alexander Sack |
seamonkey: status |
New |
Invalid |
|
| 2008-04-01 19:48:21 |
Alexander Sack |
seamonkey: status |
New |
Invalid |
|
| 2008-04-01 19:48:45 |
Alexander Sack |
seamonkey: importance |
Undecided |
High |
|
| 2008-04-01 19:48:45 |
Alexander Sack |
seamonkey: status |
New |
Fix Released |
|
| 2008-04-01 19:48:56 |
Alexander Sack |
iceape: importance |
Undecided |
High |
|
| 2008-04-01 19:49:27 |
Alexander Sack |
xulrunner: importance |
Undecided |
High |
|
| 2008-04-01 19:49:27 |
Alexander Sack |
xulrunner: status |
New |
Confirmed |
|
| 2008-04-01 19:49:39 |
Alexander Sack |
xulrunner: importance |
Undecided |
High |
|
| 2008-04-01 19:49:39 |
Alexander Sack |
xulrunner: status |
New |
Confirmed |
|
| 2008-04-01 19:49:50 |
Alexander Sack |
xulrunner: importance |
Undecided |
High |
|
| 2008-04-01 19:49:50 |
Alexander Sack |
xulrunner: status |
New |
Confirmed |
|
| 2008-04-01 19:50:13 |
Alexander Sack |
xulrunner: status |
New |
Fix Released |
|
| 2008-04-01 19:50:25 |
Alexander Sack |
xulrunner: importance |
Undecided |
High |
|
| 2008-04-01 19:51:12 |
Alexander Sack |
title |
[xulrunner, iceape] [DSA-1532-1, DSA-1534-1] several vulnerabilities |
various outstanding security updates in mozilla universe packages |
|
| 2008-04-01 19:52:28 |
Alexander Sack |
description |
Binary package hint: xulrunner
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
various
Binary package hint: xulrunner
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
|
| 2008-04-01 19:52:28 |
Alexander Sack |
title |
various outstanding security updates in mozilla universe packages |
various outstanding security updates in mozilla universe packages (as of 1.8.1.13) |
|
| 2008-04-01 19:52:59 |
Alexander Sack |
description |
various
Binary package hint: xulrunner
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
various security issues that have been disclosed for mozilla products are currently unfixed in ubuntu.
Binary package hint: xulrunner
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
|
| 2008-04-01 19:53:51 |
Alexander Sack |
description |
various security issues that have been disclosed for mozilla products are currently unfixed in ubuntu.
Binary package hint: xulrunner
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
various security issues that have been disclosed for mozilla products (as of 1.8.1.13 aka ffox 2.0.0.13) are unfixed in ubuntu.
Examples of outstanding issues for xulrunner:
References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks." |
|
| 2008-07-08 08:17:09 |
Luca Falavigna |
xulrunner: status |
Confirmed |
Won't Fix |
|
| 2008-12-15 02:30:00 |
Hew |
xulrunner: status |
Confirmed |
Won't Fix |
|
| 2008-12-15 02:30:00 |
Hew |
xulrunner: statusexplanation |
|
Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix. |
|
| 2009-05-07 10:00:32 |
Sergio Zanchetta |
iceape (Ubuntu Gutsy): status |
Confirmed |
Won't Fix |
|
| 2009-05-07 10:00:52 |
Sergio Zanchetta |
xulrunner (Ubuntu Gutsy): status |
Confirmed |
Won't Fix |
|
| 2009-05-07 10:01:08 |
Sergio Zanchetta |
iceape (Ubuntu Gutsy): status |
Won't Fix |
Invalid |
|
