[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some more xulrunner CVEs [Was: CVE-2010-1206]



On Tue, Jul 20, 2010 at 06:26:17PM +0200, Mike Hommey wrote:
> On Mon, Jul 19, 2010 at 06:45:21PM +0200, Mike Hommey wrote:
> > Hi,
> > 
> > As I started to work on next round of mozilla security updates, I found
> > out that CVE-2010-1206 doesn't apply to 3.0.x and earlier, because the
> > faulty code was introduced in 3.1b1 by
> > https://bugzilla.mozilla.org/show_bug.cgi?id=254714
> > Also, the vulnerable package is not xulrunner, in this case, but
> > iceweasel. Versions in etch and lenny are not affected.
> 
> Some more information on the CVEs I already know of for next round due
> soon:
> CVE-2010-1213, CVE-2010-2752, CVE-2010-1209 are all xulrunner issues and
> don't apply on versions before 1.9.1. They are not yet disclosed but
> should be soon enough. They are only marked RESERVED on the security
> tracked, at the moment.

While at it: as I noted in bug 565521, CVE-2009-2061 is likely to have been
fixed at the same time as CVE-2009-1836.

Mike


Reply to: