Bug#570743: xulrunner: info disclosures
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Feb 21 07:20:13 UTC 2010
package: xulrunner
version: 1.9.1.8-2
severity: important
tags: security
Hi, the following CVE (Common Vulnerabilities & Exposures) ids were
published for xulrunner.
CVE-2010-0654[0]:
| Mozilla Firefox permits cross-origin loading of CSS stylesheets even
| when the stylesheet download has an incorrect MIME type and the
| stylesheet document is malformed, which allows remote HTTP servers to
| obtain sensitive information via a crafted document.
CVE-2010-0648[1]:
| Mozilla Firefox, possibly before 3.6, allows remote attackers to
| discover a redirect's target URL, for the session of a specific user
| of a web site, by placing the site's URL in the HREF attribute of a
| stylesheet LINK element, and then reading the
| document.styleSheets[0].href property value, related to an IFRAME
| element.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0654
http://security-tracker.debian.org/tracker/CVE-2010-0654
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0648
http://security-tracker.debian.org/tracker/CVE-2010-0648
More information about the pkg-mozilla-maintainers
mailing list