RSSfeed
2008-12-18, 00:12
Referenced CVEs:
CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513
Description:
================================================== =========Ubuntu Security Notice USN-690-2 December 18, 2008firefox vulnerabilitiesCVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506,CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511,CVE-2008-5512, CVE-2008-5513============================================== =============A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1Ubuntu 7.10: firefox 2.0.0.19+nobinonly1-0ubuntu0.7.10.1After a standard system upgrade you need to restart Firefox to effect thenecessary changes.Details follow:Several flaws were discovered in the browser engine. These problems could allowan attacker to crash the browser and possibly execute arbitrary code with userprivileges. (CVE-2008-5500)Boris Zbarsky discovered that the same-origin check in Firefox could bebypassed by utilizing XBL-bindings. An attacker could exploit this to read datafrom other domains. (CVE-2008-5503)Several problems were discovered in the JavaScript engine. An attacker couldexploit feed preview vulnerabilities to execute scripts from page content withchrome privileges. (CVE-2008-5504)Marius Schilder discovered that Firefox did not properly handle redirects toan outside domain when an XMLHttpRequest was made to a same-origin resource.It's possible that sensitive information could be revealed in theXMLHttpRequest response. (CVE-2008-5506)Chris Evans discovered that Firefox did not properly protect a user's data whenaccessing a same-domain Javascript URL that is redirected to an unparsableJavascript off-site resource. If a user were tricked into opening a maliciouswebsite, an attacker may be able to steal a limited amount of private data.(CVE-2008-5507)Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefoxdid not properly parse URLs when processing certain control characters.(CVE-2008-5508)Kojima Hajime discovered that Firefox did not properly handle an escaped nullcharacter. An attacker may be able to exploit this flaw to bypass scriptsanitization. (CVE-2008-5510)Several flaws were discovered in the Javascript engine. If a user were trickedinto opening a malicious website, an attacker could exploit this to executearbitrary Javascript code within the context of another website or with chromeprivileges. (CVE-2008-5511, CVE-2008-5512)Flaws were discovered in the session-restore feature of Firefox. If a user weretricked into opening a malicious website, an attacker could exploit this toperform cross-site scripting attacks or execute arbitrary Javascript code withchrome privileges. (CVE-2008-5513)
Läs mer... (http://www.ubuntu.com/usn/usn-690-2)
Inlägget är automatiskt hämtat från www.ubuntu.com (http://www.ubuntu.com)
CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513
Description:
================================================== =========Ubuntu Security Notice USN-690-2 December 18, 2008firefox vulnerabilitiesCVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506,CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511,CVE-2008-5512, CVE-2008-5513============================================== =============A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1Ubuntu 7.10: firefox 2.0.0.19+nobinonly1-0ubuntu0.7.10.1After a standard system upgrade you need to restart Firefox to effect thenecessary changes.Details follow:Several flaws were discovered in the browser engine. These problems could allowan attacker to crash the browser and possibly execute arbitrary code with userprivileges. (CVE-2008-5500)Boris Zbarsky discovered that the same-origin check in Firefox could bebypassed by utilizing XBL-bindings. An attacker could exploit this to read datafrom other domains. (CVE-2008-5503)Several problems were discovered in the JavaScript engine. An attacker couldexploit feed preview vulnerabilities to execute scripts from page content withchrome privileges. (CVE-2008-5504)Marius Schilder discovered that Firefox did not properly handle redirects toan outside domain when an XMLHttpRequest was made to a same-origin resource.It's possible that sensitive information could be revealed in theXMLHttpRequest response. (CVE-2008-5506)Chris Evans discovered that Firefox did not properly protect a user's data whenaccessing a same-domain Javascript URL that is redirected to an unparsableJavascript off-site resource. If a user were tricked into opening a maliciouswebsite, an attacker may be able to steal a limited amount of private data.(CVE-2008-5507)Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefoxdid not properly parse URLs when processing certain control characters.(CVE-2008-5508)Kojima Hajime discovered that Firefox did not properly handle an escaped nullcharacter. An attacker may be able to exploit this flaw to bypass scriptsanitization. (CVE-2008-5510)Several flaws were discovered in the Javascript engine. If a user were trickedinto opening a malicious website, an attacker could exploit this to executearbitrary Javascript code within the context of another website or with chromeprivileges. (CVE-2008-5511, CVE-2008-5512)Flaws were discovered in the session-restore feature of Firefox. If a user weretricked into opening a malicious website, an attacker could exploit this toperform cross-site scripting attacks or execute arbitrary Javascript code withchrome privileges. (CVE-2008-5513)
Läs mer... (http://www.ubuntu.com/usn/usn-690-2)
Inlägget är automatiskt hämtat från www.ubuntu.com (http://www.ubuntu.com)