Some more xulrunner CVEs [Was: CVE-2010-1206]

To: debian-security-tracker@lists.debian.org
Subject: Some more xulrunner CVEs [Was: CVE-2010-1206]
From: Mike Hommey <mh@glandium.org>
Date: Tue, 20 Jul 2010 18:26:17 +0200
Message-id: <20100720162617.GA28950@glandium.org>
In-reply-to: <20100719164521.GA11575@glandium.org>
References: <20100719164521.GA11575@glandium.org>

On Mon, Jul 19, 2010 at 06:45:21PM +0200, Mike Hommey wrote:
> Hi,
> 
> As I started to work on next round of mozilla security updates, I found
> out that CVE-2010-1206 doesn't apply to 3.0.x and earlier, because the
> faulty code was introduced in 3.1b1 by
> https://bugzilla.mozilla.org/show_bug.cgi?id=254714
> Also, the vulnerable package is not xulrunner, in this case, but
> iceweasel. Versions in etch and lenny are not affected.

Some more information on the CVEs I already know of for next round due
soon:
CVE-2010-1213, CVE-2010-2752, CVE-2010-1209 are all xulrunner issues and
don't apply on versions before 1.9.1. They are not yet disclosed but
should be soon enough. They are only marked RESERVED on the security
tracked, at the moment.

Mike

Reply to:

Follow-Ups:
- Re: Some more xulrunner CVEs [Was: CVE-2010-1206]
  - From: Mike Hommey <mh@glandium.org>

References:
- CVE-2010-1206
  - From: Mike Hommey <mh@glandium.org>

Prev by Date: Re: Some more xulrunner CVEs [Was: CVE-2010-1206]
Next by Date: CVE-2010-0213: RRSIG query handling bug in BIND 9.7.1
Previous by thread: Re: CVE-2010-1206
Next by thread: Re: Some more xulrunner CVEs [Was: CVE-2010-1206]
Index(es):
- Date
- Thread