CVE-2010-3178 | Ubuntu

Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
firefox	11.04 natty	Fixed 3.6.11+build3+nobinonly-0ubuntu0.10.10.1
	10.10 maverick	Fixed 3.6.11+build3+nobinonly-0ubuntu0.10.10.1
	10.04 LTS lucid	Fixed 3.6.11+build3+nobinonly-0ubuntu0.10.04.1
	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Ignored end of life
firefox-3.0	11.04 natty	Not in release
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	9.04 jaunty	Fixed 3.6.11+build3+nobinonly-0ubuntu0.9.04.1
	8.04 LTS hardy	Fixed 3.6.11+build3+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
firefox-3.5	11.04 natty	Not in release
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Fixed 3.6.11+build3+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 3.5.14+build3+nobinonly-0ubuntu0.9.04.1
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
seamonkey	11.04 natty	Fixed 2.0.9+build1+nobinonly-0ubuntu0.10.10.1
	10.10 maverick	Fixed 2.0.9+build1+nobinonly-0ubuntu0.10.10.1
	10.04 LTS lucid	Fixed 2.0.9+build1+nobinonly-0ubuntu0.10.04.1
	9.10 karmic	Fixed 2.0.9+build1+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 2.0.9+build1+nobinonly-0ubuntu0.9.04.1
	8.04 LTS hardy	Fixed 2.0.9+build1+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
thunderbird	11.04 natty	Fixed 3.1.5+build1+nobinonly-0ubuntu0.10.10.1
	10.10 maverick	Fixed 3.1.5+build1+nobinonly-0ubuntu0.10.10.1
	10.04 LTS lucid	Fixed 3.0.9+build1+nobinonly-0ubuntu0.10.04.1
	9.10 karmic	Ignored end of life
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Not in release
xulrunner-1.9.1	11.04 natty	Not in release
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Fixed 1.9.1.14+build4+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 1.9.1.14+build4+nobinonly-0ubuntu0.9.04.1
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
xulrunner-1.9.2	11.04 natty	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.10.10.1
	10.10 maverick	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.10.10.1
	10.04 LTS lucid	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.10.04.1
	9.10 karmic	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.9.04.1
	8.04 LTS hardy	Fixed 1.9.2.11+build3+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release

Notes

jdstrand

CVEs in Firefox are tracked in the xulrunner source packages for builds that use the system xulrunner, and firefox source packages for those that use a static build xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS (system xul) xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS (system xul) xulrunner-1.9: (ignored) reverse dependencies no longer process web content xulrunner-1.9.1: (ignored) reverese dependencies no longer process web content xulrunner-1.9.2: system xul for reverese dependencies that process web content firefox: Ubuntu 6.06 LTS (static build) firefox: Ubuntu 10.04 LTS and higher (static build of 3.6.x or higher) firefox-3.0: Ubuntu 8.04 LTS, 9.04 (static build of 3.6.x) firefox-3.5: Ubuntu 9.04 (ignored, uses system xul 1.9.1. Use 3.0 instead) firefox-3.5: Ubuntu 9.10 (static build of 3.6.x) thunderbird low (javascript not enabled by default)

References

Related Ubuntu Security Notices (USN)

USN-998-1
Thunderbird vulnerabilities
20 October 2010

USN-997-1
Firefox and Xulrunner vulnerabilities
20 October 2010

Other references

https://www.cve.org/CVERecord?id=CVE-2010-3178