[Pkg-mozext-maintainers] Bug#559267: Bug#559267: CVE-2009-4102: RSS Feeds Cross Domain Scripting Vulnerability
Alan Woodland
alan.woodland at gmail.com
Thu Dec 3 10:47:27 UTC 2009
2009/12/3 Giuseppe Iuculano <iuculano at debian.org>:
> Package: firefox-sage
> Severity: grave
> Tags: security
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for firefox-sage.
>
> CVE-2009-4102[0]:
> | Sage 1.4.3 and earlier extension for Firefox performs certain
> | operations with chrome privileges, which allows remote attackers to
> | execute arbitrary commands and perform cross-domain scripting attacks
> | via the description tag of an RSS feed.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4102
> http://security-tracker.debian.org/tracker/CVE-2009-4102
Hmm, I'll take a look at this this afternoon. It's possible we might
not be hit by this one, last time there was an XSS bug I applied a
patch that went further than upstream did.
Alan
More information about the Pkg-mozext-maintainers
mailing list