Ubuntu alert USN-1600-1 (firefox)
| From: | Jamie Strandboge <jamie@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-1600-1] Firefox vulnerabilities | |
| Date: | Tue, 09 Oct 2012 17:40:35 -0500 | |
| Message-ID: | <5074A7E3.8030403@canonical.com> |
========================================================================== Ubuntu Security Notice USN-1600-1 October 09, 2012 firefox vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Multiple security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and others discovered several memory corruption flaws in Firefox. If a user were tricked into opening a specially crafted web page, a remote attacker could cause Firefox to crash or potentially execute arbitrary code as the user invoking the program. (CVE-2012-3982, CVE-2012-3983, CVE-2012-3988, CVE-2012-3989) David Bloom and Jordi Chancel discovered that Firefox did not always properly handle the <select> element. A remote attacker could exploit this to conduct URL spoofing and clickjacking attacks. (CVE-2012-3984) Collin Jackson discovered that Firefox did not properly follow the HTML5 specification for document.domain behavior. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via javascript execution. (CVE-2012-3985) Johnny Stenback discovered that Firefox did not properly perform security checks on tests methods for DOMWindowUtils. (CVE-2012-3986) Alice White discovered that the security checks for GetProperty could be bypassed when using JSAPI. If a user were tricked into opening a specially crafted web page, a remote attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2012-3991) Mariusz Mlynski discovered a history state error in Firefox. A remote attacker could exploit this to spoof the location property to inject script or intercept posted data. (CVE-2012-3992) Mariusz Mlynski and others discovered several flays in Firefox that allowed a remote attacker to conduct cross-site scripting (XSS) attacks. (CVE-2012-3993, CVE-2012-3994, CVE-2012-4184) Abhishek Arya, Atte Kettunen and others discovered several memory flaws in Firefox when using the Address Sanitizer tool. If a user were tricked into opening a specially crafted web page, a remote attacker could cause Firefox to crash or potentially execute arbitrary code as the user invoking the program. (CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: firefox 16.0+build1-0ubuntu0.12.04.1 Ubuntu 11.10: firefox 16.0+build1-0ubuntu0.11.10.1 Ubuntu 11.04: firefox 16.0+build1-0ubuntu0.11.04.1 Ubuntu 10.04 LTS: firefox 16.0+build1-0ubuntu0.10.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1600-1 CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188 Package Information: https://launchpad.net/ubuntu/+source/firefox/16.0+build1-... https://launchpad.net/ubuntu/+source/firefox/16.0+build1-... https://launchpad.net/ubuntu/+source/firefox/16.0+build1-... https://launchpad.net/ubuntu/+source/firefox/16.0+build1-... -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...