Re: Patches Break Software

Home	Messages Index

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index

Re: Patches Break Software

Subject: Re: Patches Break Software
From: "Larry Qualig" <lqualig@xxxxxxxxx>
Date: 21 Apr 2006 17:41:14 -0700
Complaints-to: groups-abuse@google.com
In-reply-to: <1713839.igUcMlx0Sx@schestowitz.com>
Injection-info: j33g2000cwa.googlegroups.com; posting-host=12.170.48.219; posting-account=I0FyeA0AAABAUAjJ9vi7laKRssUBoQA3
Newsgroups: comp.os.linux.advocacy
Organization: http://groups.google.com
References: <1713839.igUcMlx0Sx@schestowitz.com>
User-agent: G2/0.2
Xref: news.mcc.ac.uk comp.os.linux.advocacy:1102799

Roy Schestowitz wrote:
> http://news.com.com/2100-1002_3-6063529.html?part=rss&tag=6063529&subj=news
>
> ,----[ Quote ]
> | Does bad luck indeed come in threes? A Microsoft security fix for
> | Outlook Express could be the third of last week's patches to cause
> | trouble for some users.
> `----
>


-> Lesson to be learned: design secure software, don't rely on patches.

Hmmmm. Interesting. My Ubuntu machine tells me it needs to patch
Firefox. Let's see why... What's that again about designing secure
software and not rely on patches?


Version 1.0.8-0ubuntu5.10:

  * New upstream release which fixes the following vulnerabilities:
    - MFSA 2006-25, CVE-2006-1727: Privilege escalation through Print
Preview
    - MFSA 2006-24, CVE-2006-1728: Privilege escalation using
      crypto.generateCRMFRequest
    - MFSA 2006-23, CVE-2006-1729: File stealing by changing input type
    - MFSA 2006-22, CVE-2006-1730: CSS Letter-Spacing Heap Overflow
      Vulnerability
    - MFSA 2006-19, CVE-2006-1731: Cross-site scripting using
.valueOf.call()
    - MFSA 2006-18, CVE-2006-0749: Mozilla Firefox Tag Order
Vulnerability
    - MFSA 2006-17, CVE-2006-1732: cross-site scripting through
      window.controllers
    - MFSA 2006-16, CVE-2006-1733: Accessing XBL compilation scope via
      valueOf.call()
    - MFSA 2006-15, CVE-2006-1734: Privilege escalation using a
JavaScript
      function's cloned parent
    - MFSA 2006-14, CVE-2006-1735: Privilege escalation via
XBL.method.eval
    - MFSA 2006-13, CVE-2006-1736: Downloading executables with "Save
Image
      As..."
    - MFSA 2006-12, CVE-2006-1740: Secure-site spoof (requires security
      warning dialog)
    - MFSA 2006-11, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739,
      CVE-2006-1790: Crashes with evidence of memory corruption
(rv:1.8)
    - MFSA 2006-10, CVE-2006-1742: JavaScript garbage-collection hazard
audit
    - MFSA 2006-09, CVE-2006-1741: Cross-site JavaScript injection
using event
      handlers
    - MFSA 2006-05, CVE-2006-0296: Localstore.rdf XML injection through
      XULDocument.persist()
    - MFSA 2006-03, CVE-2005-4134: Long document title causes startup
denial
      of Service
    - MFSA 2006-01, CVE-2006-0292: JavaScript garbage-collection
hazards

References:
- Patches Break Software
  - From: Roy Schestowitz

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index