U radu paketa firefox otkriveni su brojni sigurnosni propusti koji omogućuju izvršavanje zlonamjernog programskog koda, XSS i DoS napade, čitanje osjetljivih informacija.
Paket:
Firefox 11.x
Operacijski sustavi:
Ubuntu Linux 10.04, Ubuntu Linux 11.04, Ubuntu Linux 11.10, Ubuntu Linux 12.04
Ranjivosti se javljaju zbog nepravilnosti u obradi SVG datoteka, pisanja izvan granica memorije, korištenja pokazivača nakon njegovog oslobođenja i drugi.
Posljedica:
Propusti omogućuju izvođenje XSS i DoS napada, pokretanje proizvoljnog programskog koda, te otkrivanje osjetljivih informacija.
Rješenje:
Svim se korisnicima savjetuje instalacija nadogradnji.
==========================================================================
Ubuntu Security Notice USN-1548-1
August 29, 2012
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Multiple security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary, Andrew
Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and Daniel
Holbert discovered memory safety issues affecting Firefox. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1970, CVE-2012-1971)
Abhishek Arya discovered multiple use-after-free vulnerabilities. If the
user were tricked into opening a specially crafted page, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976,
CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960,
CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)
Mariusz Mlynsk discovered that it is possible to shadow the location object
using Object.defineProperty. This could potentially result in a cross-site
scripting (XSS) attack against plugins. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents or steal
confidential data within the same domain. (CVE-2012-1956)
Mariusz Mlynski discovered an escalation of privilege vulnerability through
about:newtab. This could possibly lead to potentially code execution with
the privileges of the user invoking Firefox. (CVE-2012-3965)
FrÄ
Posljednje sigurnosne preporuke