| Description: | Summary:
The remote host is missing an update for the Debian 'xulrunner' package(s) announced via the DSA-1669-1 advisory.
Vulnerability Insight:
Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0016
Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code.
CVE-2008-3835
'moz_bug_r_a4' discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed.
CVE-2008-3836
'moz_bug_r_a4' discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation.
CVE-2008-3837
Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop.
CVE-2008-4058
'moz_bug_r_a4' discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers.
CVE-2008-4059
'moz_bug_r_a4' discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers.
CVE-2008-4060
Olli Pettay and 'moz_bug_r_a4' discovered a Chrome privilege escalation vulnerability in XSLT handling.
CVE-2008-4061
Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code.
CVE-2008-4062
Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code.
CVE-2008-4065
Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string.
CVE-2008-4066
Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser.
CVE-2008-4067
Boris Zbarsky discovered that resource: URls allow directory traversal when using URL-encoded slashes.
CVE-2008-4068
Georgi Guninski discovered that resource: URLs could bypass local access restrictions.
CVE-2008-4069
Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory.
CVE-2008-4582
Liu Die Yu discovered an information leak through local shortcut files.
CVE-2008-5012
Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions.
CVE-2008-5013
It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution.
CVE-2008-5014
Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution.
CVE-2008-5017
It was discovered that crashes in the layout engine could lead to arbitrary code execution.
CVE-2008-5018
It was discovered that crashes in the Javascript engine could lead to arbitrary code execution.
CVE-2008-0017
Justin Schuh discovered that a buffer overflow in http-index-format ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'xulrunner' package(s) on Debian 4.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
