reopen 535793 thanks On Thu, 17 Dec 2009 00:57:12 +0000 Debian Bug Tracking System wrote: > webkit (1.0.1-4+lenny2) stable-security; urgency=high > . > * Non-maintainer upload by the Security Team. > * Fixed FTBFS on arm and powerpc: include limits.h for a definition > of ULONG_MAX introduced in CVE-2009-1687 patch. > . > webkit (1.0.1-4+lenny1) stable-security; urgency=high > . > * Non-maintainer upload by the Security Team. > * Fixed CVE-2009-0945: NULL-pointer dereference in the SVGList > interface implementation (Closes: #532724, #532725) > * Fixed CVE-2009-1687: Integer overflow in JavaScript garbage > collector > * Fixed CVE-2009-1690: Incorrect handling <head> element content > once the <head> element was removed > * Fixed CVE-2009-1698: incorrect handling CSS "style" attribute > content > * Fixed CVE-2009-1711: denial of service or arbitrary code execution > via Attr DOM objects improper memory initialization. (Closes: #534946) > * Fixed CVE-2009-1712: arbitrary code execution via remote loading of > local java applets. (Closes: #535793) > * Fixed CVE-2009-1725: improper handling of numeric character > references (Closes: #538346) > * Patch based on work done by Marc Deslauriers in Ubuntu, thanks. > * Fixed CVE-2009-1714: Cross-site scripting (XSS) vulnerability in > Web Inspector > * Fixed CVE-2009-1710: Remote attackers can spoof the browser's > display of the host name, security indicators, and unspecified other UI > elements via a custom cursor in conjunction with a modified CSS3 > hotspot property. > * Fixed CVE-2009-1697: CRLF injection vulnerability allows remote > attackers to inject HTTP headers and bypass the Same Origin Policy via > a crafted HTML document > * Fixed CVE-2009-1695: Cross-site scripting (XSS) vulnerability > allows remote attackers to inject arbitrary web script or HTML via > vectors involving access to frame contents after completion of a page > transition. > * Fixed CVE-2009-1693 and CVE-2009-1694: does not properly handle > redirects, which allows remote attackers to read images from arbitrary > web sites via vectors involving a CANVAS element and redirection > * Fixed CVE-2009-1681: does not prevent web sites from loading > third-party content into a subframe, which allows remote attackers to > bypass the Same Origin Policy and conduct "clickjacking" attacks via a > crafted HTML document. > * Fixed CVE-2009-1684: Cross-site scripting (XSS) vulnerability > allows remote attackers to inject arbitrary web script or HTML via an > event handler that triggers script execution in the context of the next > loaded document. > * Fixed CVE-2009-1692: denial of service (memory consumption or > device reset) via a web page containing an HTMLSelectElement object > with a large length attribute, related to the length property of a > Select object.
hi Giuseppe, this patch didn't address all of the CVEs in the orignal bug report, and i've confirmed that they are still open in the tracker, so i am reopening the bug since there are still unaddressed issues if that is ok. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
