=========================================================== 
Ubuntu Security Notice USN-645-2         September 24, 2008
firefox vulnerabilities
CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837,
CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061,
CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065,
CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  firefox                         1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3

After a standard system upgrade you need to restart Firefox to
effect the necessary changes.

Details follow:

USN-645-1 fixed vulnerabilities in Firefox and xulrunner for Ubuntu
7.04, 7.10 and 8.04 LTS. This provides the corresponding update for
Ubuntu 6.06 LTS.

Original advisory details:

 Justin Schuh, Tom Cross and Peter Williams discovered errors in the
 Firefox URL parsing routines. If a user were tricked into opening a
 crafted hyperlink, an attacker could overflow a stack buffer and
 execute arbitrary code. (CVE-2008-0016)
 
 It was discovered that the same-origin check in Firefox could be
 bypassed. If a user were tricked into opening a malicious website,
 an attacker may be able to execute JavaScript in the context of a
 different website. (CVE-2008-3835)
 
 Several problems were discovered in the JavaScript engine. This
 could allow an attacker to execute scripts from page content with
 chrome privileges. (CVE-2008-3836)
 
 Paul Nickerson discovered Firefox did not properly process mouse
 click events. If a user were tricked into opening a malicious web
 page, an attacker could move the content window, which could
 potentially be used to force a user to perform unintended drag and
 drop operations. (CVE-2008-3837)
 
 Several problems were discovered in the browser engine. This could
 allow an attacker to execute code with chrome privileges.
 (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060)
 
 Drew Yao, David Maciejak and other Mozilla developers found several
 problems in the browser engine of Firefox. If a user were tricked
 into opening a malicious web page, an attacker could cause a denial
 of service or possibly execute arbitrary code with the privileges
 of the user invoking the program. (CVE-2008-4061, CVE-2008-4062,
 CVE-2008-4063, CVE-2008-4064)
 
 Dave Reed discovered a flaw in the JavaScript parsing code when
 processing certain BOM characters. An attacker could exploit this
 to bypass script filters and perform cross-site scripting attacks.
 (CVE-2008-4065)
 
 Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
 user were tricked into opening a malicious web page, an attacker
 could bypass script filtering and perform cross-site scripting
 attacks. (CVE-2008-4066)
 
 Boris Zbarsky and Georgi Guninski independently discovered flaws in
 the resource: protocol. An attacker could exploit this to perform
 directory traversal, read information about the system, and prompt
 the user to save information in a file. (CVE-2008-4067,
 CVE-2008-4068)
 
 Billy Hoffman discovered a problem in the XBM decoder. If a user were
 tricked into opening a malicious web page or XBM file, an attacker
 may be able to cause a denial of service via application crash.
 (CVE-2008-4069)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

          Size/MD5:   184879 85df86b82d3b0791f1152f7048e80c59
          Size/MD5:     1800 958f213fa0b3290fd34ff151fac0f11e
          Size/MD5: 47543282 53d4cf0a63c82ad875208a660dfcefd5

  Architecture independent packages:

          Size/MD5:    53526 a27b80846d4996481aa3c9b13ed6e0d4
          Size/MD5:    52640 b400a1eb1b12d75503cece2b8f9941c3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5: 47643106 bb2d5e1d0d251044f0dffbc53799af52
          Size/MD5:  2858414 52e37bdb64081a8d5b05abedd62464a7
          Size/MD5:    85904 7240d77e5653c6cb3ff8208ee348e98e
          Size/MD5:  9487524 e42a4014d438d56bd9403790084a20ea
          Size/MD5:   222196 186264226f8109b8d9a4353df2a96c21
          Size/MD5:   165740 4942a627546bce7b1a68af361dff8ddc
          Size/MD5:   247744 8d2e29ecd2c76966a12ffb218aca6b8b
          Size/MD5:   825388 a941d1b5f5d272938622b777f612d6b9
          Size/MD5:   218446 817b2802f0c08f88070af9b80a17d323

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5: 44189792 a99fcb830eea5a75444972e90ec06df6
          Size/MD5:  2858412 d9472137105f46be8e22253f7ba18ffa
          Size/MD5:    78234 2d007e9a576408e32f5238f91f0fe33c
          Size/MD5:  7993044 b20d3c354ab667504e3a4f8ba5acecdd
          Size/MD5:   222200 4beee709850374317bb599654390c852
          Size/MD5:   150230 bc5723c3db54d55cb7f91658aafb062e
          Size/MD5:   247722 fe7ec32c36decef74b0bc30c4b2d8a01
          Size/MD5:   716996 816c953c9adbee0db6c0f6dd437424cd
          Size/MD5:   211634 1939fa4918c8d6532c896f159cd49d6a

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5: 49030768 4701e733eb96c668a5f2b1189aa81294
          Size/MD5:  2858468 afc845e382ad583537459a6106bf4f02
          Size/MD5:    81350 1277ac1b04d1ada3c4fda0f55e4341ca
          Size/MD5:  9106808 1ec7402a547a6f1809675633871e5b8b
          Size/MD5:   222202 b664c35a64096e4b33fe0a9f633de940
          Size/MD5:   162948 05f3d6313d9bba82cb7c3eed0579a2de
          Size/MD5:   247744 1b660f1ea982ea4a00dec41d9edef14e
          Size/MD5:   816008 1c1d8b2d2f6811c52ec7a0385c98f12a
          Size/MD5:   215140 4f6d3b38485844a7927dfa0fa42175ce

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5: 45584634 ebf76dfa8dea74542ceaad68f8a1221f
          Size/MD5:  2858520 f0bd6ea3c889db6d04e22200f8608132
          Size/MD5:    79810 48e4adce12e817f9fa2e140ff2dee4b3
          Size/MD5:  8492834 2c0dbfdd4d05b306c9fa5448a031f25f
          Size/MD5:   222202 3c098adc301eb3994baaad251dfc2c20
          Size/MD5:   152836 4970d18b4ec02af2898c4fd8fe3fc49b
          Size/MD5:   247744 0f7d58a46c0f558b9622cd8d0a7f3d23
          Size/MD5:   727436 5605e6220a85ea3fbce5f8214a397a60
          Size/MD5:   212588 edc501e8453ce85df4311de5d97f2d14

Ubuntu: Firefox vulnerabilities USN-645-2

September 24, 2008
USN-645-1 fixed vulnerabilities in Firefox and xulrunner for Ubuntu 7.04, 7.10 and 8.04 LTS

Summary

Update Instructions

References

Severity
Ubuntu Security Notice USN-645-2 September 24, 2008

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved