Ubuntu
xulrunner package

various outstanding security updates in mozilla universe packages (as of 1.8.1.13)

  1. Edgy (6.10)
  2. Bug #210155
Bug #210155 reported by disabled.user
260
Affects Status Importance Assigned to Milestone
iceape (Ubuntu)
Invalid
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Invalid
High
Unassigned
Hardy
Invalid
Undecided
Unassigned
seamonkey (Ubuntu)
Fix Released
High
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
Hardy
Fix Released
High
Unassigned
xulrunner (Ubuntu)
Fix Released
High
Unassigned
Edgy
Won't Fix
High
Unassigned
Feisty
Won't Fix
High
Unassigned
Gutsy
Won't Fix
High
Unassigned
Hardy
Fix Released
High
Unassigned

Bug Description

various security issues that have been disclosed for mozilla products (as of 1.8.1.13 aka ffox 2.0.0.13) are unfixed in ubuntu.

Examples of outstanding issues for xulrunner:

References:
DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)

Quoting:
"Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-4879

    Peter Brodersen and Alexander Klink discovered that the
    autoselection of SSL client certificates could lead to users
    being tracked, resulting in a loss of privacy.

CVE-2008-1233

    "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
    CVE-2007-5338 allow the execution of arbitrary code through
    XPCNativeWrapper.

CVE-2008-1234

    "moz_bug_r_a4" discovered that insecure handling of event
    handlers could lead to cross-site scripting.

CVE-2008-1235

    Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
    that incorrect principal handling could lead to cross-site
    scripting and the execution of arbitrary code.

CVE-2008-1236

    Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
    Palmgren discovered crashes in the layout engine, which might
    allow the execution of arbitrary code.

CVE-2008-1237

    "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary
    code.

CVE-2008-1238

    Gregory Fleischer discovered that HTTP Referrer headers were
    handled incorrectly in combination with URLs containing Basic
    Authentication credentials with empty usernames, resulting
    in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

    Gregory Fleischer discovered that web content fetched through
    the jar: protocol can use Java to connect to arbitrary ports.
    This is only an issue in combination with the non-free Java
    plugin.

CVE-2008-1241

    Chris Thomas discovered that background tabs could generate
    XUL popups overlaying the current tab, resulting in potential
    spoofing attacks."

See original description
Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

The same CVEs cover iceape:
DSA-1534-1 (http://www.debian.org/security/2008/dsa-1534)

Revision history for this message
John Vivirito (gnomefreak) wrote : Re: [xulrunner, iceape] [DSA-1532-1, DSA-1534-1] several vulnerabilities

iceape was removed from Hardy repos

Revision history for this message
Alexander Sack (asac) wrote :

iceape in gutsy should get a security update.

Changed in iceape:
status: New → Invalid
status: New → Invalid
status: New → Confirmed
status: New → Invalid
Changed in seamonkey:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Revision history for this message
Alexander Sack (asac) wrote :

seamonkey is already fixed in hardy.

Changed in seamonkey:
importance: Undecided → High
status: New → Fix Released
Changed in iceape:
importance: Undecided → High
Revision history for this message
Alexander Sack (asac) wrote :

xulrunner needs a security update in edgy, feisty and gutsy.

Changed in xulrunner:
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Alexander Sack (asac) wrote :

hardy already fixed in 1.8.1.13+nobinonly-0ubuntu1

Changed in xulrunner:
status: New → Fix Released
importance: Undecided → High
description: updated
description: updated
description: updated
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

Edgy reached EOL on April 25th, 2008.

Changed in xulrunner:
status: Confirmed → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please could someone mark this as Won't Fix for Feisty?

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in xulrunner:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in iceape (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in xulrunner (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Changed in iceape (Ubuntu Gutsy):
status: Won't Fix → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.