Debian DSA-2075-1 : xulrunner - several vulnerabilities
High Nessus Plugin ID 47889
SynopsisThe remote Debian host is missing a security-related update.
DescriptionSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems :
- CVE-2010-0182 Wladimir Palant discovered that security checks in XML processing were insufficiently enforced.
- CVE-2010-0654 Chris Evans discovered that insecure CSS handling could lead to reading data across domain boundaries.
- CVE-2010-1205 Aki Helin discovered a buffer overflow in the internal copy of libpng, which could lead to the execution of arbitrary code.
- CVE-2010-1208 'regenrecht' discovered that incorrect memory handling in DOM parsing could lead to the execution of arbitrary code.
- CVE-2010-1211 Jesse Ruderman, Ehsan Akhgari, Mats Palmgren, Igor Bukanov, Gary Kwong, Tobias Markus and Daniel Holbert discovered crashes in the layout engine, which might allow the execution of arbitrary code.
- CVE-2010-1214 'JS3' discovered an integer overflow in the plugin code, which could lead to the execution of arbitrary code.
- CVE-2010-2751 Jordi Chancel discovered that the location could be spoofed to appear like a secured page.
- CVE-2010-2753 'regenrecht' discovered that incorrect memory handling in XUL parsing could lead to the execution of arbitrary code.
- CVE-2010-2754 Soroush Dalili discovered an information leak in script processing.
SolutionUpgrade the xulrunner packages.
For the stable distribution (lenny), these problems have been fixed in version 220.127.116.11-3.