Jesse Ruderman and Petko D. Petkov discovered that the URI handler
for JAR archives allows cross-site scripting.
CVE-2007-5959
Several crashes in the layout engine were discovered, which might
allow the execution of arbitrary code.
CVE-2007-5960
Gregory Fleischer discovered a race condition in the handling of
the "window.location" property, which might lead to cross-site
request forgery.
The oldstable distribution (sarge) doesn't contain xulrunner.
For the stable distribution (etch) these problems have been fixed in
version 1.8.0.14~pre071019c-0etch1.
For the unstable distribution (sid) these problems have been fixed in
version 1.8.1.11-1.
We recommend that you upgrade your xulrunner packages.
Upgrade instructions
- --------------------wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
...
Get the latest Linux and open source security news straight to your inbox.