Executive Summary
Summary | |
---|---|
Title | xulrunner security update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:1361 | First vendor Publication | 2012-10-12 |
Vendor | RedHat | Last vendor Modification | 2012-10-12 |
Severity (Vendor) | Critical | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated xulrunner packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: XULRunner provides the XUL Runtime environment for applications using the Gecko layout engine. A flaw was found in the way XULRunner handled security wrappers. A web page containing malicious content could possibly cause an application linked against XULRunner (such as Mozilla Firefox) to execute arbitrary code with the privileges of the user running the application. (CVE-2012-4193) For technical details regarding this flaw, refer to the Mozilla security advisories. You can find a link to the Mozilla advisories in the References section of this erratum. Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter. All XULRunner users should upgrade to these updated packages, which correct this issue. After installing the update, applications using XULRunner must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 865215 - CVE-2012-4193 Mozilla: defaultValue security checks not applied (MFSA 2012-89) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-1361.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-346 | Origin Validation Error |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16786 | |||
Oval ID: | oval:org.mitre.oval:def:16786 | ||
Title: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-4193 | Version: | 21 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Mozilla Firefox ESR Mozilla Thunderbird ESR |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18116 | |||
Oval ID: | oval:org.mitre.oval:def:18116 | ||
Title: | USN-1611-1 -- thunderbird vulnerabilities | ||
Description: | Several security issues were fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1611-1 CVE-2012-3982 CVE-2012-3983 CVE-2012-3988 CVE-2012-3989 CVE-2012-4191 CVE-2012-3984 CVE-2012-3985 CVE-2012-3986 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-4184 CVE-2012-3990 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 CVE-2012-4192 CVE-2012-4193 | Version: | 7 |
Platform(s): | Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21341 | |||
Oval ID: | oval:org.mitre.oval:def:21341 | ||
Title: | RHSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1361-01 CESA-2012:1361 CVE-2012-4193 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21545 | |||
Oval ID: | oval:org.mitre.oval:def:21545 | ||
Title: | RHSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1362-01 CESA-2012:1362 CVE-2012-4193 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23004 | |||
Oval ID: | oval:org.mitre.oval:def:23004 | ||
Title: | DEPRECATED: ELSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1361-01 CVE-2012-4193 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23099 | |||
Oval ID: | oval:org.mitre.oval:def:23099 | ||
Title: | ELSA-2012:1361: xulrunner security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1361-01 CVE-2012-4193 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23105 | |||
Oval ID: | oval:org.mitre.oval:def:23105 | ||
Title: | DEPRECATED: ELSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1362-01 CVE-2012-4193 | Version: | 7 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23952 | |||
Oval ID: | oval:org.mitre.oval:def:23952 | ||
Title: | ELSA-2012:1362: thunderbird security update (Critical) | ||
Description: | Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1362-01 CVE-2012-4193 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26871 | |||
Oval ID: | oval:org.mitre.oval:def:26871 | ||
Title: | DEPRECATED: ELSA-2012-1362 -- thunderbird security update (critical) | ||
Description: | [10.0.8-2.0.1.el6_3] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js - Replace clean.gif in tarball [10.0.8-2] - Added patches from 10.0.9 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1362 CVE-2012-4193 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27077 | |||
Oval ID: | oval:org.mitre.oval:def:27077 | ||
Title: | DEPRECATED: ELSA-2012-1361 -- xulrunner security update (critical) | ||
Description: | [10.0.8-2.0.1.el6_3] - Replace xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js [10.0.8-2] - Added patches from 10.0.9 ESR | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1361 CVE-2012-4193 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | xulrunner |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-13 | Name : SuSE Update for MozillaFirefox openSUSE-SU-2012:1345-1 (MozillaFirefox) File : nvt/gb_suse_2012_1345_1.nasl |
2012-10-16 | Name : CentOS Update for xulrunner CESA-2012:1361 centos5 File : nvt/gb_CESA-2012_1361_xulrunner_centos5.nasl |
2012-10-16 | Name : CentOS Update for xulrunner CESA-2012:1361 centos6 File : nvt/gb_CESA-2012_1361_xulrunner_centos6.nasl |
2012-10-16 | Name : CentOS Update for thunderbird CESA-2012:1362 centos5 File : nvt/gb_CESA-2012_1362_thunderbird_centos5.nasl |
2012-10-16 | Name : CentOS Update for thunderbird CESA-2012:1362 centos6 File : nvt/gb_CESA-2012_1362_thunderbird_centos6.nasl |
2012-10-16 | Name : RedHat Update for xulrunner RHSA-2012:1361-01 File : nvt/gb_RHSA-2012_1361-01_xulrunner.nasl |
2012-10-16 | Name : RedHat Update for thunderbird RHSA-2012:1362-01 File : nvt/gb_RHSA-2012_1362-01_thunderbird.nasl |
2012-10-16 | Name : Ubuntu Update for thunderbird USN-1611-1 File : nvt/gb_ubuntu_USN_1611_1.nasl |
2012-10-15 | Name : Mozilla Firefox Security Bypass Vulnerabilities - Oct 12 (Mac OS X) File : nvt/gb_mozilla_prdts_sec_bypass_vuln_oct12_macosx.nasl |
2012-10-15 | Name : Mozilla Firefox Security Bypass Vulnerabilities - Oct 12 (Windows) File : nvt/gb_mozilla_prdts_sec_bypass_vuln_oct12_win.nasl |
2012-10-13 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox70.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2012-1351-1.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-709.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201210-121015.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1601.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_firefox-201210-8327.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : seamonkey_2131.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_1009.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1601.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1009.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_16_0_1.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_10_0_9.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_16_0_1.nasl - Type : ACT_GATHER_INFO |
2012-10-17 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_10_0_9.nasl - Type : ACT_GATHER_INFO |
2012-10-16 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20121012_xulrunner_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1361.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1611-1.nasl - Type : ACT_GATHER_INFO |
2012-10-15 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2012-1362.nasl - Type : ACT_GATHER_INFO |
2012-10-11 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6e5a9afd12d311e2b47dc8600054b392.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:25 |
|