Debian-Sicherheitsankündigung

DSA-1425-1 xulrunner -- Mehrere Verwundbarkeiten

Datum des Berichts:

08. Dez 2007

Betroffene Pakete:

xulrunner

Verwundbar:

Sicherheitsdatenbanken-Referenzen:

In Mitres CVE-Verzeichnis: CVE-2007-5947, CVE-2007-5959, CVE-2007-5960.

Weitere Informationen:

Mehrere entfernt ausnutzbare Verwundbarkeiten wurden in Xulrunner, einer Laufzeitumgebung für XUL-Anwendungen, entdeckt. Das Common Vulnerabilities and Exposures-Projekt identifiziert die folgenden Probleme:

CVE-2007-5947
Jesse Ruderman und Petko D. Petkov entdeckten, dass der URI-Handler für JAR-Archive Site-übergreifendes Skripting ermöglicht.
CVE-2007-5959
Mehrere Abstürze in der Layout-Engine wurden entdeckt, die die Ausführung beliebigen Codes ermöglichen.
CVE-2007-5960
Gregory Fleischer entdeckte eine Race-Condition im Umgang mit der Eigenschaft window.location, die zu einer Site-übergreifenden Anfragefälschung führen kann.

Die alte Stable-Distribution (Sarge) enthält xulrunner nicht.

Für die Stable-Distribution (Etch) wurden diese Probleme in Version 1.8.0.14~pre071019c-0etch1 behoben.

Für die Unstable-Distribution (Sid) wurden diese Probleme in Version 1.8.1.11-1 behoben.

Wir empfehlen Ihnen, Ihre xulrunner-Pakete zu aktualisieren.

Behoben in:

Debian GNU/Linux 4.0 (stable)

Quellcode:: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1.dsc; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c.orig.tar.gz; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1.diff.gz
Architektur-unabhängige Dateien:: http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.14~pre071019c-0etch1_all.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.14~pre071019c-0etch1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_arm.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_i386.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_mips.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_s390.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.14~pre071019c-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.14~pre071019c-0etch1_sparc.deb

MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.