[SECURITY] [DSA 2433-1] iceweasel security update

2012-03-1521:42:10

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

6.7 Medium

AI Score

Confidence

High

0.056 Low

EPSS

Percentile

93.3%

JSON

Debian Security Advisory DSA-2433-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
March 15, 2012 http://www.debian.org/security/faq

Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0455 CVE-2012-0456 CVE-2012-0458 CVE-2012-0461

Several vulnerabilities have been discovered in Iceweasel, a web browser
based on Firefox. The included XULRunner library provides rendering
services for several other applications included in Debian.

CVE-2012-0455

Soroush Dalili discovered that a cross-site scripting countermeasure
related to Javascript URLs could be bypassed.

CVE-2012-0456

Atte Kettunen discovered an out of bounds read in the SVG Filters,
resulting in memory disclosure.

CVE-2012-0458

Mariusz Mlynski discovered that privileges could be escalated through
a Javascript URL as the home page.

CVE-2012-0461

Bob Clary discovered memory corruption bugs, which may lead to the
execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-13.

For the unstable distribution (sid), this problem has been fixed in
version 10.0.3esr-1.

For the experimental distribution, this problem has been fixed in
version 11.0-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6i386icedove-dbg< 3.0.11-1+squeeze8icedove-dbg_3.0.11-1+squeeze8_i386.deb
Debian6amd64icedove-dev< 3.0.11-1+squeeze8icedove-dev_3.0.11-1+squeeze8_amd64.deb
Debian6s390iceape-browser< 2.0.11-11iceape-browser_2.0.11-11_s390.deb
Debian6i386libmozjs-dev< 1.9.1.16-13libmozjs-dev_1.9.1.16-13_i386.deb
Debian6amd64icedove-dbg< 3.0.11-1+squeeze8icedove-dbg_3.0.11-1+squeeze8_amd64.deb
Debian6powerpcspidermonkey-bin< 1.9.1.16-13spidermonkey-bin_1.9.1.16-13_powerpc.deb
Debian6mipselxulrunner-1.9.1-dbg< 1.9.1.16-13xulrunner-1.9.1-dbg_1.9.1.16-13_mipsel.deb
Debian6i386spidermonkey-bin< 1.9.1.16-13spidermonkey-bin_1.9.1.16-13_i386.deb
Debian6armeliceape-mailnews< 2.0.11-11iceape-mailnews_2.0.11-11_armel.deb
Debian6sparcxulrunner-dev< 1.9.1.16-13xulrunner-dev_1.9.1.16-13_sparc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	i386	icedove-dbg	< 3.0.11-1+squeeze8	icedove-dbg_3.0.11-1+squeeze8_i386.deb
Debian	6	amd64	icedove-dev	< 3.0.11-1+squeeze8	icedove-dev_3.0.11-1+squeeze8_amd64.deb
Debian	6	s390	iceape-browser	< 2.0.11-11	iceape-browser_2.0.11-11_s390.deb
Debian	6	i386	libmozjs-dev	< 1.9.1.16-13	libmozjs-dev_1.9.1.16-13_i386.deb
Debian	6	amd64	icedove-dbg	< 3.0.11-1+squeeze8	icedove-dbg_3.0.11-1+squeeze8_amd64.deb
Debian	6	powerpc	spidermonkey-bin	< 1.9.1.16-13	spidermonkey-bin_1.9.1.16-13_powerpc.deb
Debian	6	mipsel	xulrunner-1.9.1-dbg	< 1.9.1.16-13	xulrunner-1.9.1-dbg_1.9.1.16-13_mipsel.deb
Debian	6	i386	spidermonkey-bin	< 1.9.1.16-13	spidermonkey-bin_1.9.1.16-13_i386.deb
Debian	6	armel	iceape-mailnews	< 2.0.11-11	iceape-mailnews_2.0.11-11_armel.deb
Debian	6	sparc	xulrunner-dev	< 1.9.1.16-13	xulrunner-dev_1.9.1.16-13_sparc.deb