Package: mozilla Version: 2:1.7.8-1sarge3 Severity: grave Justification: user security hole Tags: security, fixed-upstream
Mozilla 1.7.13 which was released tonight fixes various security bugs, this applies to sid/etch (mozilla 1.7.12) and sarge (mozilla 1.7.12 labeled as 1.7.8-1sarge3). http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.13 | Fixed in Mozilla 1.7.13 | MFSA 2006-27 Table Rebuilding Code Execution Vulnerability | MFSA 2006-25 Privilege escalation through Print Preview | MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest | MFSA 2006-23 File stealing by changing input type | MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability | MFSA 2006-21 JavaScript execution in mail when forwarding in-line | MFSA 2006-19 Cross-site scripting using .valueOf.call() | MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability | MFSA 2006-17 cross-site scripting through window.controllers | MFSA 2006-16 Accessing XBL compilation scope via valueOf.call() | MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent | MFSA 2006-14 Privilege escalation via XBL.method.eval | MFSA 2006-13 Downloading executables with "Save Image As..." | MFSA 2006-12 Secure-site spoof (requires security warning dialog) | MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8) | MFSA 2006-10 JavaScript garbage-collection hazard audit | MFSA 2006-09 Cross-site JavaScript injection using event handlers | MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist() | MFSA 2006-03 Long document title causes startup denial of Service | MFSA 2006-01 JavaScript garbage-collection hazards e.g. MFSA 2006-15 http://www.mozilla.org/security/announce/2006/mfsa2006-15.html fits nicely into the definition of grave/user security hole: | shutdown discovered it was possible to use the Object.watch() method | to access an internal function object (the "clone parent") which could | then be used to run arbitrary JavaScript code with full permission. | This could be used to install malware such as password sniffers or | viruses. cu andreas -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-3-k7 Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Versions of packages mozilla depends on: ii dpkg 1.10.28 Package maintenance system for Deb ii mozilla-browser 2:1.7.8-1sarge3 The Mozilla Internet application s pn mozilla-mailnews Not found. ii mozilla-psm 2:1.7.8-1sarge3 The Mozilla Internet application s -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
