Debian Bug report logs - #329778
mozilla: Multiple security issues fixed in 1.7.12

version graph

Package: mozilla; Maintainer for mozilla is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 23 Sep 2005 10:03:02 UTC

Severity: grave

Tags: fixed, security

Found in version mozilla/2:1.7.11-1

Fixed in version 2:1.7.12-1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Takuo KITAME <kitame@debian.org>:
Bug#329778; Package mozilla. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mozilla: Multiple security issues fixed in 1.7.12
Date: Fri, 23 Sep 2005 11:53:17 +0200
Package: mozilla
Version: 2:1.7.11-1
Severity: grave
Tags: security
Justification: user security hole

As usual Mozilla 1.7.12 fixes several security issues. I'm copying
the bug descriptions from a Red Hat advisory, because they are not
yet public on the Mozilla website:

<-->
A bug was found in the way Mozilla processes XBM image files. If a user
views a specially crafted XBM file, it becomes possible to execute
arbitrary code as the user running Mozilla. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to
this issue.

A bug was found in the way Mozilla processes certain Unicode sequences.
It may be possible to execute arbitrary code as the user running
Mozilla, if the user views a specially crafted Unicode sequence.
(CAN-2005-2702)

A bug was found in the way Mozilla makes XMLHttp requests. It is possible
that a malicious web page could leverage this flaw to exploit other proxy
or server flaws from the victim's machine. It is also possible that this
flaw could be leveraged to send XMLHttp requests to hosts other than the
originator; the default behavior of the browser is to disallow this.
(CAN-2005-2703)

A bug was found in the way Mozilla implemented its XBL interface. It may be
possible for a malicious web page to create an XBL binding in a way
that would allow arbitrary JavaScript execution with chrome permissions.
Please note that in Mozilla 1.7.10 this issue is not directly exploitable
and would need to leverage other unknown exploits. (CAN-2005-2704)

An integer overflow bug was found in Mozilla's JavaScript engine. Under
favorable conditions, it may be possible for a malicious web page to
execute arbitrary code as the user running Mozilla. (CAN-2005-2705)

A bug was found in the way Mozilla displays about: pages. It is possible
for a malicious web page to open an about: page, such as about:mozilla, in
such a way that it becomes possible to execute JavaScript with chrome
privileges. (CAN-2005-2706)

A bug was found in the way Mozilla opens new windows. It is possible for a
malicious web site to construct a new window without any user interface
components, such as the address bar and the status bar. This window could
hen be used to mislead the user for malicious purposes. (CAN-2005-2707)

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mozilla depends on:
pn  mozilla-browser                          Not found.
pn  mozilla-mailnews                         Not found.
pn  mozilla-psm                              Not found.



Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 2:1.7.12-1, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#329778. Full text and rfc822 format available.

Message #16 received at 329778-submitter@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 271427-submitter@bugs.debian.org, 314698-submitter@bugs.debian.org, 325635-submitter@bugs.debian.org, 328017-submitter@bugs.debian.org, 320115-submitter@bugs.debian.org, 320284-submitter@bugs.debian.org, 320899-submitter@bugs.debian.org, 327078-submitter@bugs.debian.org, 327349-submitter@bugs.debian.org, 320903-submitter@bugs.debian.org, 327946-submitter@bugs.debian.org, 320941-submitter@bugs.debian.org, 321126-submitter@bugs.debian.org, 321545-submitter@bugs.debian.org, 341341-submitter@bugs.debian.org, 321553-submitter@bugs.debian.org, 321644-submitter@bugs.debian.org, 346013-submitter@bugs.debian.org, 321816-submitter@bugs.debian.org, 321967-submitter@bugs.debian.org, 330024-submitter@bugs.debian.org, 321998-submitter@bugs.debian.org, 322583-submitter@bugs.debian.org, 322853-submitter@bugs.debian.org, 356739-submitter@bugs.debian.org, 322961-submitter@bugs.debian.org, 322972-submitter@bugs.debian.org, 323084-submitter@bugs.debian.org, 323160-submitter@bugs.debian.org, 323355-submitter@bugs.debian.org, 323725-submitter@bugs.debian.org, 323942-submitter@bugs.debian.org, 324371-submitter@bugs.debian.org, 324553-submitter@bugs.debian.org, 324558-submitter@bugs.debian.org, 324579-submitter@bugs.debian.org, 324606-submitter@bugs.debian.org, 324908-submitter@bugs.debian.org, 325210-submitter@bugs.debian.org, 325490-submitter@bugs.debian.org, 325514-submitter@bugs.debian.org, 326468-submitter@bugs.debian.org, 325532-submitter@bugs.debian.org, 327366-submitter@bugs.debian.org, 329778-submitter@bugs.debian.org, 332480-submitter@bugs.debian.org, 325635-submitter@bugs.debian.org, 328017-submitter@bugs.debian.org, 325835-submitter@bugs.debian.org, 325851-submitter@bugs.debian.org, 325938-submitter@bugs.debian.org, 327930-submitter@bugs.debian.org, 326285-submitter@bugs.debian.org, 326295-submitter@bugs.debian.org, 373110-submitter@bugs.debian.org, 379331-submitter@bugs.debian.org, 379334-submitter@bugs.debian.org, 326298-submitter@bugs.debian.org, 326311-submitter@bugs.debian.org, 326355-submitter@bugs.debian.org, 326362-submitter@bugs.debian.org, 326371-submitter@bugs.debian.org, 326372-submitter@bugs.debian.org, 326378-submitter@bugs.debian.org, 326466-submitter@bugs.debian.org, 347129-submitter@bugs.debian.org, 347205-submitter@bugs.debian.org, 326489-submitter@bugs.debian.org, 326756-submitter@bugs.debian.org, 365518-submitter@bugs.debian.org, 327429-submitter@bugs.debian.org, 350429-submitter@bugs.debian.org, 327911-submitter@bugs.debian.org, 327718-submitter@bugs.debian.org, 327933-submitter@bugs.debian.org, 327936-submitter@bugs.debian.org, 327970-submitter@bugs.debian.org, 327984-submitter@bugs.debian.org, 327986-submitter@bugs.debian.org, 291328-submitter@bugs.debian.org, 327996-submitter@bugs.debian.org, 328002-submitter@bugs.debian.org, 328018-submitter@bugs.debian.org, 328039-submitter@bugs.debian.org, 328172-submitter@bugs.debian.org, 328333-submitter@bugs.debian.org, 328334-submitter@bugs.debian.org, 328335-submitter@bugs.debian.org, 328352-submitter@bugs.debian.org, 328364-submitter@bugs.debian.org, 329467-submitter@bugs.debian.org, 330446-submitter@bugs.debian.org, 333857-submitter@bugs.debian.org, 330666-submitter@bugs.debian.org, 330938-submitter@bugs.debian.org
Subject: Bugs fixed in NMU, documenting versions
Date: Sun, 22 Oct 2006 22:06:57 +0100
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers.  With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now

close 271427 8.14+v8.11+urw-0.1
close 314698 0.35-2.1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 320115 2.0-4.2
close 320284 1.11
close 320899 11.4.1870-7.1
close 327078 11.4.1870-7.1
close 327349 11.4.1870-7.1
close 320903 1:0.71-1.2
close 327946 1:0.71-1.2
close 320941 2.0.3-1.1
close 321126 2.6.3.2
close 321545 0.1.3b-1.1
close 341341 0.1.3b-1.1
close 321553 0.1.12-2.2
close 321644 2:1.7.12-1.1
close 346013 2:1.7.12-1.1
close 321816 2.61-2.1
close 321967 4.0.0-2.1
close 330024 4.0.0-2.1
close 321998 0.9.21-0.1
close 322583 0.3.8.1-4
close 322853 0.7.1-3.1
close 356739 0.7.1-3.1
close 322961 0.4.3.1.dfsg-0.1
close 322972 9.4.2-2.4
close 323084 0.4.5+cvs20030824-1.4
close 323160 0.1.10-0.1
close 323355 1.2.11-0.2
close 323725 0.18.2-10.1
close 323942 0.4.0-4.1
close 324371 4.3-18.1
close 324553 2.9.5.0.37.5.2
close 324558 1.2-release-2.1
close 324579 1.11-6.2
close 324606 1.2-release-2.2
close 324908 0.12.4-4.1
close 325210 2.6.0-1.1
close 325490 0.7.1-1.1
close 325514 0.8.6-1.1
close 326468 0.8.6-1.1
close 325532 2:1.7.12-1
close 327366 2:1.7.12-1
close 329778 2:1.7.12-1
close 332480 2:1.7.12-1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 325835 0.1.12-7.1
close 325851 2:1.7.8-1sarge2
close 325938 0.9.8beta2-4.1
close 327930 0.9.8beta2-4.1
close 326285 0.99.3-5.1
close 326295 0.8.2-5.1
close 373110 0.8.2-5.1
close 379331 0.8.2-5.1
close 379334 0.8.2-5.1
close 326298 0.2.12-2.1
close 326311 0.3.5-1pre1.1
close 326355 2.1.8-2.1
close 326362 0.6-7.2
close 326371 0.90beta1-10.1
close 326372 1.0-0.1
close 326378 0.1.17-4.3
close 326466 6.3.2-2.1
close 347129 6.3.2-2.1
close 347205 6.3.2-2.1
close 326489 0.3.7-2.1
close 326756 1.0.9-1.1
close 365518 1.0.9-1.1
close 327429 1.2-1.1
close 350429 1.2-1.1
close 327911 2.3.5-1.1
close 327718 0.6.0-8.2
close 327933 0.9.2-1.1
close 327936 0.8.5-1.1
close 327970 0.5.1-2.1
close 327984 1.3-2.1
close 327986 0.2.36-4.1
close 291328 0.2.36-4.1
close 327996 1.0-1.1
close 328002 1.0.0-9.1
close 328018 2.1.3-2.1
close 328039 1.18A-2.1
close 328172 1.002-0.2
close 328333 4.1.2-1.1
close 328334 1.34-7.1
close 328335 0.8.2-2.1
close 328352 0.13-3.1
close 328364 0.4.0-test5-2.1
close 329467 1.3.1
close 330446 0.1.83
close 333857 0.1.83
close 330666 6:6.2.4.5-0.2
close 330938 0.5.1-2.2




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 16:19:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:13:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.