Re: Some more xulrunner CVEs [Was: CVE-2010-1206]

To: debian-security-tracker@lists.debian.org
Subject: Re: Some more xulrunner CVEs [Was: CVE-2010-1206]
From: Mike Hommey <mh@glandium.org>
Date: Tue, 20 Jul 2010 18:39:52 +0200
Message-id: <20100720163952.GA13145@glandium.org>
In-reply-to: <20100720162617.GA28950@glandium.org>
References: <20100719164521.GA11575@glandium.org> <20100720162617.GA28950@glandium.org>

On Tue, Jul 20, 2010 at 06:26:17PM +0200, Mike Hommey wrote:
> On Mon, Jul 19, 2010 at 06:45:21PM +0200, Mike Hommey wrote:
> > Hi,
> > 
> > As I started to work on next round of mozilla security updates, I found
> > out that CVE-2010-1206 doesn't apply to 3.0.x and earlier, because the
> > faulty code was introduced in 3.1b1 by
> > https://bugzilla.mozilla.org/show_bug.cgi?id=254714
> > Also, the vulnerable package is not xulrunner, in this case, but
> > iceweasel. Versions in etch and lenny are not affected.
> 
> Some more information on the CVEs I already know of for next round due
> soon:
> CVE-2010-1213, CVE-2010-2752, CVE-2010-1209 are all xulrunner issues and
> don't apply on versions before 1.9.1. They are not yet disclosed but
> should be soon enough. They are only marked RESERVED on the security
> tracked, at the moment.

While at it: as I noted in bug 565521, CVE-2009-2061 is likely to have been
fixed at the same time as CVE-2009-1836.

Mike

Reply to:

References:
- CVE-2010-1206
  - From: Mike Hommey <mh@glandium.org>
- Some more xulrunner CVEs [Was: CVE-2010-1206]
  - From: Mike Hommey <mh@glandium.org>

Prev by Date: Re: CVE-2010-1206
Next by Date: Some more xulrunner CVEs [Was: CVE-2010-1206]
Previous by thread: Some more xulrunner CVEs [Was: CVE-2010-1206]
Next by thread: CVE-2010-0213: RRSIG query handling bug in BIND 9.7.1
Index(es):
- Date
- Thread