{"cve": [{"lastseen": "2017-08-17T11:14:32", "bulletinFamily": "NVD", "description": "Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.", "modified": "2017-08-16T21:31:26", "published": "2009-11-29T08:08:29", "id": "CVE-2009-4102", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4102", "title": "CVE-2009-4102", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:57:08", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firefox-sage\nannounced via advisory DSA 1951-1.", "modified": "2017-07-07T00:00:00", "published": "2009-12-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=66590", "id": "OPENVAS:66590", "title": "Debian Security Advisory DSA 1951-1 (firefox-sage)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1951_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1951-1 (firefox-sage)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that firefox-sage, a lightweight RSS and Atom feed\nreader for Firefox, does not sanitise the RSS feed information\ncorrectly, which makes it prone to a cross-site scripting and a\ncross-domain scripting attack.\n\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 1.4.2-0.1+lenny1.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 1.3.6-4etch1.\n\nFor the testing distribution (squeeze) and the unstable distribution\n(sid), this problem has been fixed in version 1.4.3-3.\n\n\nWe recommend that you upgrade your firefox-sage packages.\";\ntag_summary = \"The remote host is missing an update to firefox-sage\nannounced via advisory DSA 1951-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201951-1\";\n\n\nif(description)\n{\n script_id(66590);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-30 21:58:43 +0100 (Wed, 30 Dec 2009)\");\n script_cve_id(\"CVE-2009-4102\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1951-1 (firefox-sage)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"firefox-sage\", ver:\"1.3.6-4etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"firefox-sage\", ver:\"1.4.2-0.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:40:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update to firefox-sage\nannounced via advisory DSA 1951-1.", "modified": "2018-04-06T00:00:00", "published": "2009-12-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066590", "id": "OPENVAS:136141256231066590", "type": "openvas", "title": "Debian Security Advisory DSA 1951-1 (firefox-sage)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1951_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1951-1 (firefox-sage)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that firefox-sage, a lightweight RSS and Atom feed\nreader for Firefox, does not sanitise the RSS feed information\ncorrectly, which makes it prone to a cross-site scripting and a\ncross-domain scripting attack.\n\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 1.4.2-0.1+lenny1.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 1.3.6-4etch1.\n\nFor the testing distribution (squeeze) and the unstable distribution\n(sid), this problem has been fixed in version 1.4.3-3.\n\n\nWe recommend that you upgrade your firefox-sage packages.\";\ntag_summary = \"The remote host is missing an update to firefox-sage\nannounced via advisory DSA 1951-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201951-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66590\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-30 21:58:43 +0100 (Wed, 30 Dec 2009)\");\n script_cve_id(\"CVE-2009-4102\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1951-1 (firefox-sage)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"firefox-sage\", ver:\"1.3.6-4etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"firefox-sage\", ver:\"1.4.2-0.1+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "jvn": [{"lastseen": "2018-08-31T00:36:26", "bulletinFamily": "info", "description": "\n ## Description\n\nSage is an addon for Mozilla Firefox that adds an RSS/Atom feed reader. Sage is vulnerable to arbitrary script execution due to the improper processing during HTML page output based on feed information.\n\n ## Impact\n\nAn arbitrary script embedded in an RSS/Atom feed may be executed on the user's Mozilla Firefox.\n\n ## Solution\n\n**Update the software** \nUpdate to the latest version according to the information provided by the developer. \n \n**Apply a workaround** \nUntil an update can be applied, the workaround below may reduce the impact of this vulnerability: \n\n\n * Uncheck the option for \"Read feed into contents area\" in Sage\n\n ## Products Affected\n\n * Sage versions prior to 1.4.6\n", "modified": "2011-09-06T00:00:00", "published": "2011-09-02T00:00:00", "id": "JVN:99203127", "href": "http://jvn.jp/en/jp/JVN99203127/index.html", "title": "JVN#99203127: Sage vulnerable to arbitrary script execution", "type": "jvn", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:13:06", "bulletinFamily": "scanner", "description": "It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-1951.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44816", "published": "2010-02-24T00:00:00", "title": "Debian DSA-1951-1 : firefox-sage - insufficient input sanitising", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1951. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44816);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:34\");\n\n script_cve_id(\"CVE-2009-4102\");\n script_xref(name:\"DSA\", value:\"1951\");\n\n script_name(english:\"Debian DSA-1951-1 : firefox-sage - insufficient input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that firefox-sage, a lightweight RSS and Atom feed\nreader for Firefox, does not sanitise the RSS feed information\ncorrectly, which makes it prone to a cross-site scripting and a\ncross-domain scripting attack.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559267\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1951\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the firefox-sage packages.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 1.3.6-4etch1.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 1.4.2-0.1+lenny1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:firefox-sage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"firefox-sage\", reference:\"1.3.6-4etch1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"firefox-sage\", reference:\"1.4.2-0.1+lenny1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:13:00", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1951-1 security@debian.org\nhttp://www.debian.org/security/ Steffen Joeris\nDecember 15, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : firefox-sage\nVulnerability : insufficient input sanitising\nProblem type : remote\nDebian-specific: no\nCVE Id : CVE-2009-4102\nDebian Bug : 559267\n\nIt was discovered that firefox-sage, a lightweight RSS and Atom feed\nreader for Firefox, does not sanitise the RSS feed information\ncorrectly, which makes it prone to a cross-site scripting and a\ncross-domain scripting attack.\n\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 1.4.2-0.1+lenny1.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 1.3.6-4etch1.\n\nFor the testing distribution (squeeze) and the unstable distribution\n(sid), this problem has been fixed in version 1.4.3-3.\n\n\nWe recommend that you upgrade your firefox-sage packages.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (oldstable)\n- ------------------\n\nOldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.dsc\n Size/MD5 checksum: 607 d4175001caa8fc685f47452de46aaa03\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6.orig.tar.gz\n Size/MD5 checksum: 135325 49c68a517b6611c7352feb6072be9567\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.diff.gz\n Size/MD5 checksum: 13123 a59b6403405d4c6214b569fdb068049f\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1_all.deb\n Size/MD5 checksum: 150172 57339ba6521e7611e4e27fce4f87df31\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.diff.gz\n Size/MD5 checksum: 15552 c62acce299739cfe09c5ed671f0d310f\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2.orig.tar.gz\n Size/MD5 checksum: 169202 71f4d7379bc6e39640fc20016493f129\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.dsc\n Size/MD5 checksum: 1039 f47c953cd90197453e1ce165f13cb701\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1_all.deb\n Size/MD5 checksum: 171308 63a27b648f10e021b18acf9c8d8d24f0\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2009-12-15T11:55:39", "published": "2009-12-15T11:55:39", "id": "DEBIAN:DSA-1951-1:E255F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00274.html", "title": "[SECURITY] [DSA 1951-1] New firefox-sage packages fix insufficient input sanitizing", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:27:46", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 37120\r\nCVE(CAN) ID: CVE-2009-4102\r\n\r\nSage\u662fFirefox\u6240\u4f7f\u7528\u7684\u8f7b\u578bRSS\u548cAtom\u6e90\u6c47\u96c6\u5668\u6269\u5c55\u3002\r\n\r\nSage\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4RSS\u6e90\u4e2d\u7684description\u6807\u7b7e\u8f93\u5165\u4fbf\u7528\u4e8e\u6e32\u67d3\u5185\u5bb9\uff0c\u7528\u6237\u53d7\u9a97\u8ba2\u9605\u4e86\u6076\u610f\u7684RSS\u6e90\u5c31\u4f1a\u5bfc\u81f4\u4ee5chrome:\u6743\u9650\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\n\nMozilla Sage 1.4.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMozilla\r\n-------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttps://addons.mozilla.org/en-US/firefox/addon/77", "modified": "2009-12-03T00:00:00", "published": "2009-12-03T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15019", "id": "SSV:15019", "type": "seebug", "title": "Firefox Sage\u6269\u5c55RSS\u6e90\u8de8\u57df\u811a\u672c\u6267\u884c\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1951-1 security@debian.org\r\nhttp://www.debian.org/security/ Steffen Joeris\r\nDecember 15, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : firefox-sage\r\nVulnerability : insufficient input sanitising\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id : CVE-2009-4102\r\nDebian Bug : 559267\r\n\r\nIt was discovered that firefox-sage, a lightweight RSS and Atom feed\r\nreader for Firefox, does not sanitise the RSS feed information\r\ncorrectly, which makes it prone to a cross-site scripting and a\r\ncross-domain scripting attack.\r\n\r\n\r\nFor the stable distribution (lenny), this problem has been fixed in\r\nversion 1.4.2-0.1+lenny1.\r\n\r\nFor the oldstable distribution (etch), this problem has been fixed in\r\nversion 1.3.6-4etch1.\r\n\r\nFor the testing distribution (squeeze) and the unstable distribution\r\n(sid), this problem has been fixed in version 1.4.3-3.\r\n\r\n\r\nWe recommend that you upgrade your firefox-sage packages.\r\n\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nDebian (oldstable)\r\n- ------------------\r\n\r\nOldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.dsc\r\n Size/MD5 checksum: 607 d4175001caa8fc685f47452de46aaa03\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6.orig.tar.gz\r\n Size/MD5 checksum: 135325 49c68a517b6611c7352feb6072be9567\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.diff.gz\r\n Size/MD5 checksum: 13123 a59b6403405d4c6214b569fdb068049f\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1_all.deb\r\n Size/MD5 checksum: 150172 57339ba6521e7611e4e27fce4f87df31\r\n\r\n\r\nDebian GNU/Linux 5.0 alias lenny\r\n- --------------------------------\r\n\r\nDebian (stable)\r\n- ---------------\r\n\r\nStable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.diff.gz\r\n Size/MD5 checksum: 15552 c62acce299739cfe09c5ed671f0d310f\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2.orig.tar.gz\r\n Size/MD5 checksum: 169202 71f4d7379bc6e39640fc20016493f129\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.dsc\r\n Size/MD5 checksum: 1039 f47c953cd90197453e1ce165f13cb701\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1_all.deb\r\n Size/MD5 checksum: 171308 63a27b648f10e021b18acf9c8d8d24f0\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAksneJ0ACgkQ62zWxYk/rQeRnACgl5xAjdWg9H6/gvteFqVkY1bh\r\nw/kAnRzc6lGDWUAoe6H3pjfZdP1XhMDx\r\n=CsHJ\r\n-----END PGP SIGNATURE-----", "modified": "2009-12-15T00:00:00", "published": "2009-12-15T00:00:00", "id": "SECURITYVULNS:DOC:22941", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22941", "title": "[SECURITY] [DSA 1951-1] New firefox-sage packages fix insufficient input sanitizing", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
