=========================================================== Ubuntu Security Notice USN-690-2 December 18, 2008 firefox vulnerabilities CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: firefox 2.0.0.19+nobinonly1-0ubuntu0.7.10.1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2008-5500) Boris Zbarsky discovered that the same-origin check in Firefox could be bypassed by utilizing XBL-bindings. An attacker could exploit this to read data from other domains. (CVE-2008-5503) Several problems were discovered in the JavaScript engine. An attacker could exploit feed preview vulnerabilities to execute scripts from page content with chrome privileges. (CVE-2008-5504) Marius Schilder discovered that Firefox did not properly handle redirects to an outside domain when an XMLHttpRequest was made to a same-origin resource. It's possible that sensitive information could be revealed in the XMLHttpRequest response. (CVE-2008-5506) Chris Evans discovered that Firefox did not properly protect a user's data when accessing a same-domain Javascript URL that is redirected to an unparsable Javascript off-site resource. If a user were tricked into opening a malicious website, an attacker may be able to steal a limited amount of private data. (CVE-2008-5507) Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefox did not properly parse URLs when processing certain control characters. (CVE-2008-5508) Kojima Hajime discovered that Firefox did not properly handle an escaped null character. An attacker may be able to exploit this flaw to bypass script sanitization. (CVE-2008-5510) Several flaws were discovered in the Javascript engine. If a user were tricked into opening a malicious website, an attacker could exploit this to execute arbitrary Javascript code within the context of another website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512) Flaws were discovered in the session-restore feature of Firefox. If a user were tricked into opening a malicious website, an attacker could exploit this to perform cross-site scripting attacks or execute arbitrary Javascript code with chrome privileges. (CVE-2008-5513) Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1.diff.gz Size/MD5: 193899 36adc1276acd43f74f72cfcc1ae3d0e9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1.dsc Size/MD5: 1667 191a120d310a4e50dc3890bc39dd5eb4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1.orig.tar.gz Size/MD5: 38003869 ef1cc2719a0d2e765e7395191917b0e1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_all.deb Size/MD5: 200940 bb5074878422fcc2770502b9ccb0da27 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 78150706 95fdf710a1475b0bc9c2d05b93729e1d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 3199474 a81af067e5cd04967c4b073e4ea88b3d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 98272 a5da4c672ee9cdb9238827240a1fd8d4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 67296 1867fa5365e1877b2991f0012a5a0508 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 10470700 e782eb0e3ee75833b54f6bf6eb7ad587 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 77284164 a71bc30bc1337cf8f764c4e34c0225bc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 3187094 ac6687331ea182a211af874e78d6ed17 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 91982 e940726ca92857100f60b40c0627ebe7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 66578 8b2d79255ed23faa29d212394bcba143 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 9216882 bc3cbdf09eab1655725e7c6f6e702227 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_lpia.deb Size/MD5: 77568340 e0c635c7c94d02df21c3959245f82eae http://ports.ubuntu.com/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_lpia.deb Size/MD5: 3184640 e8dbcad248acefdf2e67206fd9a99884 http://ports.ubuntu.com/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_lpia.deb Size/MD5: 91636 54e13279350c153e6c86bc6f56c413ff http://ports.ubuntu.com/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_lpia.deb Size/MD5: 66524 ebc91a165868249a1d87a91727b7d2fd http://ports.ubuntu.com/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_lpia.deb Size/MD5: 9073898 5a46dfbb0577f2f590d6ba0b4e8427ae powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 80768006 e9ae877064a52623eb7e35814f9b34cc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 3202786 6e6b92b3b5e47bcc20e3803d6c967b0d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 96330 eac0521eb7d2d212869337a96576741b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 67580 9261fce133f2603c58f710cfb1c7e387 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_powerpc.deb Size/MD5: 10315794 2f30e74ebaf0e5bb0eed03669e67c7b7 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_sparc.deb Size/MD5: 78127352 ab6da326b1db0baf28f1041eff70e3e4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_sparc.deb Size/MD5: 3184440 74705617fd5764f9414756ecf9e2281c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_sparc.deb Size/MD5: 91764 440f4a3bf1774945c2b93cd90948b7d2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_sparc.deb Size/MD5: 66664 1f2b23c6612f07ee3f932ff0e294a123 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_sparc.deb Size/MD5: 9466814 70da09e753b9ab898be59a3bdd25a646
Attachment:
signature.asc
Description: Digital signature