USN-930-2: apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update
Publication date
29 June 2010
Overview
This update is for use with the new Xulrunner provided in USN-930-1.
Releases
Packages
- apturl - Install package with the apt protocol
- epiphany-browser - Intuitive web browser
- gecko-sharp2 - CLI binding for the GtkMozEmbed library
- gnome-python-extras - Python bindings for the GNOME desktop environment
- liferea - feed aggregator for GNOME
- rhythmbox - music player and organizer for GNOME
- totem - A simple media player for the Gnome desktop
- ubufox - Ubuntu Firefox specific configuration defaults and apt support
- yelp - Help browser for GNOME 2
Details
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides updated packages for use with Firefox 3.6 and Xulrunner 1.9.2 on
Ubuntu 8.04 LTS.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-1200, CVE-2010-1201,
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides updated packages for use with Firefox 3.6 and Xulrunner 1.9.2 on
Ubuntu 8.04 LTS.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-1200, CVE-2010-1201,
CVE-2010-1202, CVE-2010-1203)
A flaw was discovered in the way plugin instances interacted. An attacker
could potentially exploit this and use one plugin to access freed memory from a
second plugin to execute arbitrary code with the privileges of the user
invoking the program. (CVE-2010-1198)
An integer overflow was discovered in Firefox. If a user were tricked into
viewing a malicious site, an attacker could overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1196)
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Update instructions
After a standard system upgrade you need to restart any applications that use Xulrunner to effect the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 8.04 hardy | epiphany-gecko – 2.22.2-0ubuntu0.8.04.7 | ||
| apturl – 0.2.2ubuntu1.1 | |||
| yelp – 2.22.1-0ubuntu2.8.04.4 | |||
| liferea – 1.4.14-0ubuntu4.1 | |||
| python-gnome2-extras – 2.19.1-0ubuntu7.2 | |||
| libgecko2.0-cil – 0.11-3ubuntu4.8.04.1 | |||
| ubufox – 0.9~rc2-0ubuntu0.8.04.1 | |||
| rhythmbox – 0.11.5-0ubuntu8.8.04.2 | |||
| totem-mozilla – 2.22.1-0ubuntu3.8.04.6 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.