Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#4515 - xulrunner needs patching
Attached to Project:
Arch Linux
Opened by name withheld (Gullible Jones) - Wednesday, 26 April 2006, 19:58 GMT
Last edited by Dale Blount (dale) - Wednesday, 26 April 2006, 21:08 GMT
Opened by name withheld (Gullible Jones) - Wednesday, 26 April 2006, 19:58 GMT
Last edited by Dale Blount (dale) - Wednesday, 26 April 2006, 21:08 GMT
|
DetailsThe current version of xulrunner is subject to a very nasty security flaw which allows remote execution of arbitrary code, and Mozilla.org has not yet released a new version and probably will not for quite some time. I think it would be prudent to try to patch version 1.8.0.1 and put the patched version in the Testing repository, to be transferred to Current as soon as it is proven to be stable. The possibility of exploitation of this bug may sound remote, but it is a very serious one and I don't think it's a good idea to take chances on this.
|
This task depends upon
Closed by Jan de Groot (JGC)
Thursday, 04 May 2006, 12:44 GMT
Reason for closing: Fixed
Additional comments about closing: Added a 1.8.0.2-alike patch taken from OpenSuSE. They updated xulrunner today, so I guess the security bugs should be fixed with it.
Thursday, 04 May 2006, 12:44 GMT
Reason for closing: Fixed
Additional comments about closing: Added a 1.8.0.2-alike patch taken from OpenSuSE. They updated xulrunner today, so I guess the security bugs should be fixed with it.
Any fix available for this on the mozilla cvs?
'd need some more information about this, couldn't find any proper information on this in the mozilla bugtracker.
http://www.mozilla.org/projects/security/known-vulnerabilities.html
There are actually several critical vulnerabilities fixed in version 1.5.0.2 - the one I mentioned was the remote code execution one relating to table rebuilding, but they should probably all be patched.