Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks."
Binary package hint: xulrunner
References: www.debian. org/security/ 2008/dsa- 1532)
DSA-1532-1 (http://
Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-4879
Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and apper.
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWr
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
CVE-2008-1238
Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.
CVE-2008-1240
Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.
CVE-2008-1241
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks."