Home / mailingsPDF  

[USN-1251-1] Firefox and Xulrunner vulnerabilities

Posted on 10 November 2011
Ubuntu Security

==========================
==========================
========================
Ubuntu Security Notice USN-1251-1
November 10, 2011

firefox, xulrunner-1.9.2 vulnerabilities
==========================
==========================
========================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Multiple vulnerabilities have been fixed in Firefox and Xulrunner.

Software Description:
- firefox: Mozilla Open Source web browser
- xulrunner-1.9.2: Mozilla Gecko runtime environment

Details:

It was discovered that CVE-2011-3004, which addressed possible privilege
escalation in addons, also affected Firefox 3.6. An attacker could
potentially exploit Firefox when an add-on was installed that used
loadSubscript in vulnerable ways. (CVE-2011-3647)

Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. A malicious website could
possibly use this flaw this to steal data or inject malicious scripts int=
o
web content. (CVE-2011-3648)

Marc Schoenefeld discovered that using Firebug to profile a JavaScript fi=
le
with many functions would cause Firefox to crash. An attacker might be ab=
le
to exploit this without using the debugging APIs which would potentially
allow an attacker to remotely crash the browser. (CVE-2011-3650)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
firefox 3.6.24+build2+nobinonly-0ubuntu0.10.10.=
1
xulrunner-1.9.2 1.9.2.24+build2+nobinonly-0ubuntu0.10.1=
0.1

Ubuntu 10.04 LTS:
firefox 3.6.24+build2+nobinonly-0ubuntu0.10.04.=
1
xulrunner-1.9.2 1.9.2.24+build2+nobinonly-0ubuntu0.10.0=
4.1

After a standard system upgrade you need to restart Firefox and any
applications that use Xulrunner to effect the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1251-1
CVE-2011-3647, CVE-2011-3648, CVE-2011-3650

Package Information:
https://launchpad.net/ubuntu/+source/firefox/3.6.24+build2+nobinonly-0u=
buntu0.10.10.1
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.24+build2+no=
binonly-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/firefox/3.6.24+build2+nobinonly-0u=
buntu0.10.04.1
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.24+build2+no=
binonly-0ubuntu0.10.04.1




------------

 

TOP

Mailings :

Exploits :