Ubuntu
xulrunner package

lp:ubuntu/intrepid-security/xulrunner

  1. Intrepid (8.10)
  2. intrepid-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/intrepid-security/xulrunner
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Mature

Recent revisions

27. By Alexander Sack

* New security upstream release - backports for ffox 3.0.8
  + Fixed on Firefox EOL branch
    - MFSA 2009-13 Arbitrary code execution through XUL <tree> element
    - MFSA 2009-12 XSL Transformation vulnerability
    - MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
    - MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
    - MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
    - MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
    - MFSA 2009-03 Local file stealing with SessionStore
    - MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)
  + Fixed in Firefox 2.0.0.20
    - MFSA 2008-65 Cross-domain data theft via script redirect error message (Windows)
  + Fixed in Firefox 2.0.0.19
    - MFSA 2008-69 XSS vulnerabilities in SessionStore
    - MFSA 2008-68 XSS and JavaScript privilege escalation
    - MFSA 2008-67 Escaped null characters ignored by CSS parser
    - MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
    - MFSA 2008-65 Cross-domain data theft via script redirect error message
    - MFSA 2008-64 XMLHttpRequest 302 response disclosure
    - MFSA 2008-62 Additional XSS attack vectors in feed preview
    - MFSA 2008-61 Information stealing via loadBindingDocument
    - MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
  + Fixed in Firefox 2.0.0.18
    - MFSA 2008-58 Parsing error in E4X default namespace
    - MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
    - MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
    - MFSA 2008-55 Crash and remote code execution in nsFrameManager
    - MFSA 2008-54 Buffer overflow in http-index-format parser
    - MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
    - MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
    - MFSA 2008-50 Crash and remote code execution via __proto__ tampering
    - MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
    - MFSA 2008-48 Image stealing via canvas and HTTP redirect
    - MFSA 2008-47 Information stealing via local shortcut files
  + Fixed in Firefox 2.0.0.17
    - MFSA 2008-45 XBM image uninitialized memory reading
    - MFSA 2008-44 resource: traversal vulnerabilities
    - MFSA 2008-43 BOM characters stripped from JavaScript before execution
    - MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
    - MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
    - MFSA 2008-40 Forced mouse drag
    - MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
    - MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
    - MFSA 2008-37 UTF-8 URL stack buffer overflow

26. By Devid Antonio Filoni

* New upstream release (taken from upstream CVS), LP: #254618.
* Fix MFSA 2008-35, MFSA 2008-34, MFSA 2008-33, MFSA 2008-32, MFSA 2008-31,
  MFSA 2008-30, MFSA 2008-29, MFSA 2008-28, MFSA 2008-27, MFSA 2008-25,
  MFSA 2008-24, MFSA 2008-23, MFSA 2008-22, MFSA 2008-21, MFSA 2008-26 also
  known as CVE-2008-2933, CVE-2008-2785, CVE-2008-2811, CVE-2008-2810,
  CVE-2008-2809, CVE-2008-2808, CVE-2008-2807, CVE-2008-2806, CVE-2008-2805,
  CVE-2008-2803, CVE-2008-2802, CVE-2008-2801, CVE-2008-2800, CVE-2008-2798.
* Drop 89_bz419350_attachment_306066 patch, merged upstream.
* Bump Standards-Version to 3.8.0.

25. By Martin Pitt

No-change upload to build against current libhunspell.

24. By Alexander Sack

* prepatch fix for FTBFS due to #include of not-existing
  iostream.h in ia64 code.
  - add debian/patches/bz419350_attachment_306066.dpatch
  - update debian/patches/00list

23. By Alexander Sack

* fix FTBFS due to diverged configure patch
  - update debian/patches/99_configure.dpatch

22. By Fabien Tassin

* New security upstream release: 1.8.1.14 (LP: #218534)
  Fixes USN-602-1 / mfsa-2008-20 / CVE-2008-1380
* Merge from debian unstable (1.8.1.14-1). Remaining ubuntu changes:
  - debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
  - xulrunner alternative in /usr/bin
* Update configure for the visibility patch:
  - update debian/patches/99_configure.dpatch

21. By Fabien Tassin

* New security upstream release: 1.8.1.13 (LP: #207171)
* Security fixes:
  - MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
  - MFSA 2008-18 Java socket connection to any local port via LiveConnect
  - MFSA 2008-17 Privacy issue with SSL Client Authentication
  - MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
  - MFSA 2008-15 Crashes with evidence of memory corruption
  - MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
* Merge from debian unstable (1.8.1.12-5). Remaining ubuntu changes:
  - debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
  - xulrunner alternative in /usr/bin
* Drop patches applied upstream:
  - drop debian/patches/10_SECAlgorithmIDTemplate.dpatch
  - update debian/patches/00list
* Update diverged patches:
  - update debian/patches/99_configure.dpatch

20. By Fabien Tassin

* Merge from debian unstable (LP: #174219), remaining changes:
   - 88_bz384304_lp117575_linkrecursion_fix_in_startscript.dpatch
   - 88_bz399589_fix_missing_symbol_with_new_nss.dpatch
   - 88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
   - xulrunner alternative in /usr/bin
     - debian/xulrunner.install
     - debian/xulrunner.{postinst,prerm}
* Update debian/patches/99_configure.dpatch

19. By Fabien Tassin

* Merge from debian unstable (LP: #163271), remaining changes:
  - remaining Ubuntu patches in debian/patches:
    - 88_force-no-pragma-visibility-for-gcc-4.2_4.3
    - 88_bz384304_lp117575_linkrecursion_fix_in_startscript
  - xulrunner diversion (xulrunner.{postinst,prerm,install})
  - Maintainer set to Ubuntu MOTU Developers
* Drop debian/patches/{68_python25_api_breakage.dpatch,
  88_ubuntu_pyginputstream.dpatch,88_ubuntu_pyiinputstream.dpatch}
  merge by Debian into debian/patches/35_python_2.5.dpatch
  - update debian/patches/00list
* Drop debian/patches/61_python_py_ssize_t_detect now useless
  - update debian/patches/00list
* Fix FTBFS with cairo lib needing Xrender:
  - add patch 88_bz344818_missing_library_check
  - update debian/patches/00list
* Fix FTBFS with newer nss allowing to build with either old nss 3.11
  or upcoming 3.12.
  - add patch 88_bz399589_fix_missing_symbol_with_new_nss
  - update debian/patches/00list
* Update debian/patches/99_configure.dpatch

18. By Alexander Sack

debian/control: build depend on ecj instead of ecj-bootstrap, that doesn't
exist anymore.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/xulrunner
This branch contains Public information 
Everyone can see this information.

Subscribers