-
xulrunner (1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.8.04.1) hardy-security; urgency=low
* New security upstream release - backports for ffox 3.0.8
+ Fixed on Firefox EOL branch
- MFSA 2009-13 Arbitrary code execution through XUL <tree> element
- MFSA 2009-12 XSL Transformation vulnerability
- MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
- MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
- MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
- MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
- MFSA 2009-03 Local file stealing with SessionStore
- MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)
+ Fixed in Firefox 2.0.0.20
- MFSA 2008-65 Cross-domain data theft via script redirect error message (Windows)
+ Fixed in Firefox 2.0.0.19
- MFSA 2008-69 XSS vulnerabilities in SessionStore
- MFSA 2008-68 XSS and JavaScript privilege escalation
- MFSA 2008-67 Escaped null characters ignored by CSS parser
- MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
- MFSA 2008-65 Cross-domain data theft via script redirect error message
- MFSA 2008-64 XMLHttpRequest 302 response disclosure
- MFSA 2008-62 Additional XSS attack vectors in feed preview
- MFSA 2008-61 Information stealing via loadBindingDocument
- MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
+ Fixed in Firefox 2.0.0.18
- MFSA 2008-58 Parsing error in E4X default namespace
- MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
- MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
- MFSA 2008-55 Crash and remote code execution in nsFrameManager
- MFSA 2008-54 Buffer overflow in http-index-format parser
- MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
- MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
- MFSA 2008-50 Crash and remote code execution via __proto__ tampering
- MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
- MFSA 2008-48 Image stealing via canvas and HTTP redirect
- MFSA 2008-47 Information stealing via local shortcut files
+ Fixed in Firefox 2.0.0.17
- MFSA 2008-45 XBM image uninitialized memory reading
- MFSA 2008-44 resource: traversal vulnerabilities
- MFSA 2008-43 BOM characters stripped from JavaScript before execution
- MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
- MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
- MFSA 2008-40 Forced mouse drag
- MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
- MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
- MFSA 2008-37 UTF-8 URL stack buffer overflow
+ Fixed in Firefox 2.0.0.16
- MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
- MFSA 2008-34 Remote code execution by overflowing CSS reference counter
+ Fixed in Firefox 2.0.0.15
- MFSA 2008-33 Crash and remote code execution in block reflow
- MFSA 2008-32 Remote site run as local file via Windows URL shortcut
- MFSA 2008-31 Peer-trusted certs can use alt names to spoof
- MFSA 2008-30 File location URL in directory listings not escaped properly
- MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
- MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
- MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
- MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
- MFSA 2008-24 Chrome script loading from fastload file
- MFSA 2008-23 Signed JAR tampering
- MFSA 2008-22 XSS through JavaScript same-origin violation
- MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
+ Fixed in Firefox 2.0.0.14
- MFSA 2008-20 Crash in JavaScript garbage collector
-- Alexander Sack <email address hidden> Tue, 31 Mar 2009 18:52:02 +0200
-
xulrunner (1.8.1.13+nobinonly-0ubuntu1) hardy; urgency=low
* New security upstream release: 1.8.1.13 (LP: #207171)
* Security fixes:
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption
- MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
* Merge from debian unstable (1.8.1.12-5). Remaining ubuntu changes:
- debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
- xulrunner alternative in /usr/bin
* Drop patches applied upstream:
- drop debian/patches/10_SECAlgorithmIDTemplate.dpatch
- update debian/patches/00list
* Update diverged patches:
- update debian/patches/99_configure.dpatch
-- Fabien Tassin <email address hidden> Wed, 26 Mar 2008 00:07:56 +0000
-
xulrunner (1.8.1.11-1ubuntu1) hardy; urgency=low
* Merge from debian unstable (LP: #174219), remaining changes:
- 88_bz384304_lp117575_linkrecursion_fix_in_startscript.dpatch
- 88_bz399589_fix_missing_symbol_with_new_nss.dpatch
- 88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
- xulrunner alternative in /usr/bin
- debian/xulrunner.install
- debian/xulrunner.{postinst,prerm}
* Update debian/patches/99_configure.dpatch
-- Fabien Tassin <email address hidden> Wed, 05 Dec 2007 21:35:09 +0100
-
xulrunner (1.8.1.9-1ubuntu1) hardy; urgency=low
* Merge from debian unstable (LP: #163271), remaining changes:
- remaining Ubuntu patches in debian/patches:
- 88_force-no-pragma-visibility-for-gcc-4.2_4.3
- 88_bz384304_lp117575_linkrecursion_fix_in_startscript
- xulrunner diversion (xulrunner.{postinst,prerm,install})
- Maintainer set to Ubuntu MOTU Developers
* Drop debian/patches/{68_python25_api_breakage.dpatch,
88_ubuntu_pyginputstream.dpatch,88_ubuntu_pyiinputstream.dpatch}
merge by Debian into debian/patches/35_python_2.5.dpatch
- update debian/patches/00list
* Drop debian/patches/61_python_py_ssize_t_detect now useless
- update debian/patches/00list
* Fix FTBFS with cairo lib needing Xrender:
- add patch 88_bz344818_missing_library_check
- update debian/patches/00list
* Fix FTBFS with newer nss allowing to build with either old nss 3.11
or upcoming 3.12.
- add patch 88_bz399589_fix_missing_symbol_with_new_nss
- update debian/patches/00list
* Update debian/patches/99_configure.dpatch
-- Fabien Tassin <email address hidden> Sat, 17 Nov 2007 17:36:34 +0100
-
xulrunner (1.8.1.4-2ubuntu5) gutsy; urgency=low
* debian/control: build depend on ecj instead of ecj-bootstrap, that doesn't
exist anymore.
xulrunner (1.8.1.4-2ubuntu4) gutsy; urgency=low
Prepare xul 1.8 to play nicely with forthcoming xulrunner 1.9 upload:
* debian/xulrunner.install: install startup script as
/usr/lib/xulrunner/xulrunner instead of /usr/bin/xulrunner
* debian/xulrunner.{postinst,prerm}: introduce xulrunner alternative
to allow multiple xulrunner versions to be installed on the same
system.
* debian/patches/88_bz384304_lp117575_linkrecursion_fix_in_startscript.dpatch:
adapt patch from bugzilla 384304 to allow deep link recursions of xulrunner
start script.
-- Alexander Sack <email address hidden> Fri, 28 Sep 2007 12:38:52 +0200