USN-811-1: Firefox and Xulrunner vulnerability

view full story

http://www.ubuntu.com – Referenced CVEs:  CVE-2009-2654 Description:  =========================================================== Ubuntu Security Notice USN-811-1 August 05, 2009 firefox-3.0, xulrunner-1.9 vulnerability CVE-2009-2654 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.13+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 Ubuntu 8.10: abrowser 3.0.13+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.13+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 Ubuntu 9.04: abrowser 3.0.13+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.13+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: Juan Pablo Lopez Yacubian discovered that Firefox did not properly display invalid URLs. If a user were tricked into accessing a malicious website, an attacker could exploit this to spoof the location bar, such as in a phishing attack. Furthermore, if the malicious website had a valid SSL certificate, Firefox would display the spoofed page as trusted. (Distributions)