On Tue, 24 Nov 2009 12:30:09 +0100, Alexander Sack wrote: > On Mon, Nov 23, 2009 at 11:58:34PM -0500, Michael Gilbert wrote: > > Package: xulrunner > > Version: 1.9.1.5-1 > > Severity: important > > Tags: security > > > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for xulrunner. > > > > CVE-2009-2953[0]: > > | Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote > > | attackers to cause a denial of service (CPU consumption) via > > | JavaScript code with a long string value for the hash property (aka > > | location.hash), a related issue to CVE-2008-5715. > > > > Mozilla does not consider normal DoS bugs a security issue.
i am acutely aware of that, but since this issued got a CVE id it is on the security radar. if you feel that 'important' is too high, then please feel free to downgrade the severity. > It happens that CVEs got filed by someone in the past, but unless they > show memory corruption they are useless ... understood. and as stated in the title, this is just a denial-of-service; not even a crash (except in galeon). > is this advisory something confirmed/released by mozilla? no, i have not seen anything official from mozilla, but i have verified that the proof-of-concept does work; hence the reason for submitting the bug. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
