Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
172
security advisorydenial of servicecritical issueUbuntu 15.04 USN-2743-2 Critical: Ubufox Firefox Update Against DoS
This update provides compatible packages for Firefox 41. =========================================================================Ubuntu Security Notice USN-2743-2 September 22, 2015 ubufox update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: This update provides compatible packages for Firefox 41 Software Description: - ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-2743-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox. Original advisory details: Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4500, CVE-2015-4501) André Bargull discovered that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window. (CVE-2015-4502) Felix Gröbert discovered an out-of-bounds read in the QCMS color management library in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. (CVE-2015-4504) Khalil Zhani discovered a buffer overflow when parsing VP9 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, orexecute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4506) Spandan Veggalam discovered a crash while using the debugger API in some circumstances. If a user were tricked in to opening a specially crafted website whilst using the debugger, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4507) Juho Nurminen discovered that the URL bar could display the wrong URL in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2015-4508) A use-after-free was discovered when manipulating HTML media content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4509) Looben Yang discovered a use-after-free when using a shared worker with IndexedDB in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4510) Francisco Alonso discovered an out-of-bounds read during 2D canvas rendering in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4512) Jeff Walden discovered that changes could be made to immutable properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary script in a privileged scope. (CVE-2015-4516) Ronald Crane reported multiple vulnerabilities. If a user weretricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180) Mario Gomes discovered that dragging and dropping an image after a redirect exposes the redirected URL to scripts. An attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4519) Ehsan Akhgari discovered 2 issues with CORS preflight requests. An attacker could potentially exploit these to bypass CORS restrictions. (CVE-2015-4520) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: xul-ext-ubufox 3.2-0ubuntu0.15.04.1 Ubuntu 14.04 LTS: xul-ext-ubufox 3.2-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: xul-ext-ubufox 3.2-0ubuntu0.12.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2743-2 https://ubuntu.com/security/notices/USN-2743-1 https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1498681 Package Information: https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.15.04.1 https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.12.04.1 . =========================================================================Ubuntu Security Notice USN-. update, provides, compatible, packages, firefox, ============================================. . Severity: Critical. LinuxSecurity.com Team
Sep 22, 2015
•Critical
Ubuntu
172
security advisorydenial of servicecriticalUbuntu 15.04: USN-2702-2 Critical: Ubufox Update for Firefox 40
This update provides compatible packages for Firefox 40.. =========================================================================Ubuntu Security Notice USN-2702-2 August 11, 2015 ubufox update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: This update provides compatible packages for Firefox 40. Software Description: - ubufox: Ubuntu modifications for Firefox Details: USN-2702-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubufox. Original advisory details: Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4473, CVE-2015-4474) Aki Helin discovered an out-of-bounds read when playing malformed MP3 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4475) A use-after-free was discovered during MediaStream playback in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4477) André Bargull discovered that non-configurable properties on javascript objects could be redefined when parsing JSON. If a user were tricked in to opening aspecially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-4478) Multiple integer overflows were discovered in libstagefright. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493) Jukka Jylänki discovered a crash that occurs because javascript does not properly gate access to Atomics or SharedArrayBuffers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-4484) Abhishek Arya discovered 2 buffer overflows in libvpx when decoding malformed WebM content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4485, CVE-2015-4486) Ronald Crane reported 3 security issues. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these, in combination with another security vulnerability, to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4487, CVE-2015-4488, CVE-2015-4489) Christoph Kerschbaumer discovered an issue with Mozilla's implementation of Content Security Policy (CSP), which could allow for a more permissive usage in some cirucumstances. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-4490) Gustavo Grieco discovered a heap overflow in gdk-pixbuf. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4491) Looben Yang discovered a use-after-free when using XMLHttpRequest with shared workers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4492) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: xul-ext-ubufox 3.1-0ubuntu0.15.04.1 Ubuntu 14.04 LTS: xul-ext-ubufox 3.1-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: xul-ext-ubufox 3.1-0ubuntu0.12.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2702-2 https://ubuntu.com/security/notices/USN-2702-1 https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1483858 Package Information: https://launchpad.net/ubuntu/+source/ubufox/3.1-0ubuntu0.15.04.1 https://launchpad.net/ubuntu/+source/ubufox/3.1-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/ubufox/3.1-0ubuntu0.12.04.1 . The recent ubufox update addresses multiple security vulnerabilities in Firefox, significantly improving user protection through essential fixes. A restart is necessary.. Ubufox Update, Firefox Patch, Memory Safety Fix, Denial Of Service. . Severity: Critical. LinuxSecurity.com Team
Aug 11, 2015
•Critical
Ubuntu
172
security advisorycode executionfirefoxUbuntu 12.10: USN-1638-2 Moderate: Ubufox Update for Firefox Security Fix
This update provides compatible ubufox packages for the latest Firefox.. =========================================================================Ubuntu Security Notice USN-1638-2 November 21, 2012 ubufox update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS Summary: This update provides compatible ubufox packages for the latest Firefox. Software Description: - ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-1638-1 fixed vulnerabilities in Firefox. This update provides an updated ubufox package for use with the latest Firefox. Original advisory details: Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-5842, CVE-2012-5843) Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Firefox. (CVE-2012-4202) It was discovered that the evalInSandbox function's JavaScript sandbox context could be circumvented. An attacker could exploit this to perform a cross-site scripting (XSS) attack or steal a copy of a local file if the user has installed an add-on vulnerable to this attack. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-4201) Jonathan Stephensdiscovered that combining vectors involving the setting of Cascading Style Sheets (CSS) properties in conjunction with SVG text could cause Firefox to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service via application crash or execute arbitrary code with the privliges of the user invoking the program. (CVE-2012-5836) It was discovered that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a bookmark of a malicious javascript: URL. (CVE-2012-4203) Scott Bell discovered a memory corruption issue in the JavaScript engine. If a user were tricked into opening a malicious website, an attacker could exploit this to execute arbitrary JavaScript code within the context of another website or arbitrary code as the user invoking the program. (CVE-2012-4204) Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox. (CVE-2012-4205) Peter Van der Beken discovered XrayWrapper implementation in Firefox does not consider the compartment during property filtering. An attacker could use this to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site. (CVE-2012-4208) Bobby Holley discovered that cross-origin wrappers were allowing write actions on objects when only read actions should have been properly allowed. This can lead to cross-site scripting (XSS) attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the samedomain. (CVE-2012-5841) Masato Kinugawa discovered that when HZ-GB-2312 charset encoding is used for text, the "~" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting (XSS) attack in pages encoded in HZ-GB-2312. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit these to modify the contents, or steal confidential data, within the same domain. (CVE-2012-4207) Mariusz Mlynski discovered that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting (XSS) attacks through plugins. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-4209) Mariusz Mlynski discovered that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. If a user were tricked into opening a malicious web page, an attacker could execute arbitrary code with the privliges of the user invoking the program. (CVE-2012-4210) Abhishek Arya discovered multiple use-after-free and buffer overflow issues in Firefox. If a user were tricked into opening a malicious page, an attacker could exploit these to execute arbitrary code as the user invoking the program. (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5839, CVE-2012-5840, CVE-2012-4212, CVE-2012-4213, CVE-2012-4217, CVE-2012-4218) Several memory corruption flaws were discovered in Firefox. If a user were tricked into opening a malicious page, an attacker could exploit these to execute arbitrary code as the user invoking the program. (CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: xul-ext-ubufox 2.6-0ubuntu0.12.10.1 Ubuntu 12.04 LTS: xul-ext-ubufox 2.6-0ubuntu0.12.04.1 Ubuntu 11.10: xul-ext-ubufox 2.6-0ubuntu0.11.10.1 Ubuntu 10.04 LTS: xul-ext-ubufox 2.6-0ubuntu0.10.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1638-2 https://ubuntu.com/security/notices/USN-1638-1 https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1080211 Package Information: https://launchpad.net/ubuntu/+source/ubufox/2.6-0ubuntu0.12.10.1 https://launchpad.net/ubuntu/+source/ubufox/2.6-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/ubufox/2.6-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/ubufox/2.6-0ubuntu0.10.04.1 . The Ubuntu Security Notice USN-1638-2 provides insight into the ubufox patch, which resolves several vulnerabilities found in Firefox.. Ubuntu Security, Ubufox Update, Firefox Safety Issues, Software Update. . LinuxSecurity.com Team
Nov 21, 2012
Ubuntu
172
security advisorydenial of servicesecurity issueUbuntu 12.04 LTS: USN-1509-2 Moderate Ubufox Update for Firefox
This update provides compatible ubufox packages for the latest Firefox.. =========================================================================Ubuntu Security Notice USN-1509-2 July 18, 2012 ubufox update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: This update provides compatible ubufox packages for the latest Firefox. Software Description: - ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-1509-1 fixed vulnerabilities in Firefox. This update provides an updated ubufox package for use with the lastest Firefox. Original advisory details: Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949) Mario Gomes discovered that the address bar may be incorrectly updated. Drag-and-drop events in the address bar may cause the address of the previous site to be displayed while a new page is loaded. An attacker could exploit this to conduct phishing attacks. (CVE-2012-1950) Abhishek Arya discovered four memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954) Mariusz Mlynski discovered that the address bar may be incorrectly updated. Calls to history.forward andhistory.back could be used to navigate to a site while the address bar still displayed the previous site. A remote attacker could exploit this to conduct phishing attacks. (CVE-2012-1955) Mario Heiderich discovered that HTML tags were not filtered out of the HTML of RSS feeds. A remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via javascript execution in the HTML feed view. (CVE-2012-1957) Arthur Gerkis discovered a use-after-free vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1958) Bobby Holley discovered that same-compartment security wrappers (SCSW) could be bypassed to allow XBL access. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1959) Tony Payne discovered an out-of-bounds memory read in Mozilla's color management library (QCMS). If the user were tricked into opening a specially crafted color profile, an attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-1960) Frédéric Buclin discovered that the X-Frame-Options header was ignored when its value was specified multiple times. An attacker could exploit this to conduct clickjacking attacks. (CVE-2012-1961) Bill Keese discovered a memory corruption vulnerability. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1962) Karthikeyan Bhargavan discovered an information leakage vulnerability in the Content Security Policy (CSP) 1.0 implementation. If the user were trickedinto opening a specially crafted page, an attacker could possibly exploit this to access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) Matt McCutchen discovered a clickjacking vulnerability in the certificate warning page. A remote attacker could trick a user into accepting a malicious certificate via a crafted certificate warning page. (CVE-2012-1964) Mario Gomes and Soroush Dalili discovered that javascript was not filtered out of feed URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1965) A vulnerability was discovered in the context menu of data: URLs. If the user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966) It was discovered that the execution of javascript: URLs was not properly handled in some cases. A remote attacker could exploit this to execute code with the privileges of the user invoking Firefox. (CVE-2012-1967) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: ubufox 2.1.1-0ubuntu0.12.04.1 xul-ext-ubufox 2.1.1-0ubuntu0.12.04.1 Ubuntu 11.10: ubufox 2.1.1-0ubuntu0.11.10.1 xul-ext-ubufox 2.1.1-0ubuntu0.11.10.1 Ubuntu 11.04: ubufox 2.1.1-0ubuntu0.11.04.1 xul-ext-ubufox 2.1.1-0ubuntu0.11.04.1 Ubuntu 10.04 LTS: ubufox 2.1.1-0ubuntu0.10.04.1 xul-ext-ubufox 2.1.1-0ubuntu0.10.04.1 When upgrading, users should be aware of the following: - In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus, context menus, and perform drag-and-drop operations in Firefox. This is a known issue being tracked inhttps://bugs.launchpad.net/ubuntu/+source/unity-2d/+bug/1020198 and may be fixed in a later update. After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1509-2 https://ubuntu.com/security/notices/USN-1509-1 https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1024562 Package Information: https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.10.04.1 . The Ubuntu Security Alert USN-1509-2 has been issued regarding ubufox, addressing vulnerabilities that may pose risks to users.. Ubufox Update, Firefox Issues, Ubuntu Security, Application Update. . Severity: Important. LinuxSecurity.com Team
Jul 18, 2012
•Important
Ubuntu
172
security advisoryupdatecriticalUbuntu 10.10 And 10.04 LTS: USN-1355-3 Critical Ubufox Update
This update provides compatible ubufox and webfav packages for the latest Firefox.. =========================================================================Ubuntu Security Notice USN-1355-3 February 03, 2012 ubufox and webfav update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: This update provides compatible ubufox and webfav packages for the latest Firefox. Software Description: - ubufox: Ubuntu Firefox specific configuration defaults and apt support - webfav: Firefox extension for saving web favorites (bookmarks) Details: USN-1355-1 fixed vulnerabilities in Firefox. This update provides updated ubufox and webfav packages for use with the latest Firefox. Original advisory details: It was discovered that if a user chose to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users. (CVE-2012-0450) Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0449) It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0444) Tim Abraldes discovered that when encoding certain images types the resulting data was always a fixed size. There is the possibility of sensitive data from uninitialized memory beingappended to these images. (CVE-2012-0447) It was discovered that Firefox did not properly perform XPConnect security checks. An attacker could exploit this to conduct cross-site scripting (XSS) attacks through web pages and Firefox extensions. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0446) It was discovered that Firefox did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2011-3659) Alex Dvorov discovered that Firefox did not properly handle sub-frames in form submissions. An attacker could exploit this to conduct phishing attacks using HTML5 frames. (CVE-2012-0445) Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse Ruderman, Jan Odvarko, Peter Van Der Beken, Bob Clary, and Bill McCloskey discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0442, CVE-2012-0443) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: xul-ext-ubufox 0.9.3-0ubuntu0.10.10.3 xul-ext-webfav 1.17-0ubuntu4.1 Ubuntu 10.04 LTS: xul-ext-ubufox 0.9.3-0ubuntu0.10.04.3 xul-ext-webfav 1.17-0ubuntu3.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/923319 Package Information: https://launchpad.net/ubuntu/+source/ubufox/0.9.3-0ubuntu0.10.10.3 https://launchpad.net/ubuntu/+source/webfav/1.17-0ubuntu4.1 https://launchpad.net/ubuntu/+source/ubufox/0.9.3-0ubuntu0.10.04.3 https://launchpad.net/ubuntu/+source/webfav/1.17-0ubuntu3.1 . Tackling urgent concerns regarding Ubuntu distributions of Firefox, focusing on potential security risks and essential patches.. Ubuntu Ubufox Webfav Security Update Firefox. . Severity: Critical. LinuxSecurity.com Team
Feb 03, 2012
•Critical
Ubuntu
172
security advisoryupdatecode executionUbuntu 11.10: USN-1306-2 Moderate: Ubufox and Mozvoikko Update
This update provides compatible packages for Firefox 9.. =========================================================================Ubuntu Security Notice USN-1306-2 January 06, 2012 mozvoikko, ubufox update ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 Summary: This update provides compatible packages for Firefox 9. Software Description: - mozvoikko: Finnish spell-checker extension for Firefox (transitional package - ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-1306-1 fixed vulnerabilities in Firefox. This update provides updated Mozvoikko and ubufox packages for use with Firefox 9. Original advisory details: Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia Knous, and Rober Longson discovered several memory safety issues which could possibly be exploited to crash Firefox or execute arbitrary code as the user that invoked Firefox. (CVE-2011-3660) Aki Helin discovered a crash in the YARR regular expression library that could be triggered by javascript in web content. (CVE-2011-3661) It was discovered that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler. An attacker could potentially exploit this vulnerability to crash Firefox. (CVE-2011-3658) Mario Heiderich discovered it was possible to use SVG animation accessKey events to detect key strokes even when JavaScript was disabled. A malicious web page could potentially exploit this to trick a user into interacting with a prompt thinking it came from the browser in a context where the user believed scripting was disabled. (CVE-2011-3663) It was discovered that it was possible to crash Firefox when scaling an OGG element to extreme sizes. (CVE-2011-3665) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: xul-ext-mozvoikko 1.10.0-0ubuntu2.2 xul-ext-ubufox 1.0.2-0ubuntu0.11.10.1 Ubuntu 11.04: xul-ext-mozvoikko 1.10.0-0ubuntu0.11.04.4 xul-ext-ubufox 0.9.3-0ubuntu0.11.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/906389 Package Information: https://launchpad.net/ubuntu/+source/mozvoikko/1.10.0-0ubuntu2.2 https://launchpad.net/ubuntu/+source/ubufox/1.0.2-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/mozvoikko/1.10.0-0ubuntu0.11.04.4 https://launchpad.net/ubuntu/+source/ubufox/0.9.3-0ubuntu0.11.04.1 . Patch addresses vulnerabilities in mozvoikko and ubufox to ensure compatibility with Firefox 9 on Ubuntu platforms.. FireFox Update, Ubuntu Notice, mozvoikko Security, ubufox Patch. . LinuxSecurity.com Team
Jan 06, 2012
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!