DSA-1704 xulrunner -- several vulnerabilitiesID: oval:org.secpod.oval:def:600343 | Date: (C)2011-05-13 (M)2023-02-20 |
Class: PATCH | Family: unix |
Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. For the stable distribution these problems have been fixed in version 1.8.0.15~pre080614i-0etch1. For the testing distribution and the unstable distribution these problems have been fixed in version 1.9.0.5-1. We recommend that you upgrade your xulrunner packages.