On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote: > Package: xulrunner > Version: 1.9.1.1-2 > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for xulrunner. > > CVE-2009-2663[0]: > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and > | 3.5.x before 3.5.2 and other products, allows context-dependent > | attackers to cause a denial of service (memory corruption and > | application crash) or possibly execute arbitrary code via a crafted > | .ogg file. > > This does not affect versions 1.9.0.12 and earlier, so no updates > are needed for the stable releases.
The summary you pasted suggest that "before" 3.0.13 is affected, which would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9 branch didnt have any libvorbis/codec support afaik. So this feels like a typo in the CVE. Anyway. xul should probably be updated to .13 anyway in stable. - Alexander -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
