DSA-1306-1

Details

Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-1362

Nicolas Derouet discovered that Xulrunner performs insufficient
validation of cookies, which could lead to denial of service.

CVE-2007-2867

Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn
Wargers and Olli Pettay discovered crashes in the layout engine, which
might allow the execution of arbitrary code.

CVE-2007-2868

Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir
Palant discovered crashes in the Javascript engine, which might allow
the execution of arbitrary code.

CVE-2007-2869

&quot;Marcel&quot; discovered that malicous web sites can cause massive
ressource comsumption through the auto completion feature, resulting
in denial of service.

CVE-2007-2870

&quot;moz_bug_r_a4&quot; discovered that adding an event listener through the
 addEventListener() function allows cross-site scripting.

CVE-2007-2871

 Chris Thomas discovered that XUL popups can can be abused for spoofing
 or phishing attacks.

The oldstable distribution (sarge) doesn't include xulrunner.

Affected Packages

xulrunner

Debian 4

Fixed in:

1.8.0.12-0etch1

References

ADVISORYhttps://security-tracker.debian.org/tracker/DSA-1306-1

DSA-1306-1

Details

Affected Packages

References

Upstream

Ecosystems

Timeline