pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/40205: Firefox and Opera pkgsrc update - critical security fixes

>Number:         40205
>Category:       pkg
>Synopsis:       Firefox and Opera pkgsrc update - critical security fixes
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 17 12:50:00 +0000 2008
>Originator:     Cem Kayali



Security Update  (December 16, 2008): Security updates have been issued for 
Firefox 2 and Firefox 3 that fix critical security vulnerabilities. All users 
should install these updates as soon as possible.

MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-62 Additional XSS attack vectors in feed preview
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-60 Crashes with evidence of memory corruption (rv:


Fixed an issue where History Search could be used to execute arbitrary code, as 
discovered by Aviv Raff; see our advisory
The links panel no longer allows cross-site scripting; see our advisory
Manipulating text input contents can allow execution of arbitrary code, as 
reported by Red XIII. See our advisory.
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by 
Alexios Fakos. See our advisory.
Long hostnames in file: URLs can cause execution of arbitrary code, as reported 
by Vitaly McLain. see our advisory.
Script injection in feed preview can reveal contents of unrelated news feeds, 
as reported by David Bloom. See our advisory.
Built-in XSLT templates can allow cross-site scripting, as reported by Robert 
Swiecki of the Google Security Team. See our advisory.
Fixed an issue that could reveal random data, as reported by Matthew of 
Hispasec Sistemas. Details will be disclosed at a later date.
SVG images embedded using <img> tags can no longer execute Java or plugin 
content, suggested by Chris Evans.



Home | Main Index | Thread Index | Old Index