[SECURITY] [DSA 2528-1] icedove security update

2012-08-1419:26:36

lists.debian.org

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.035 Low

EPSS

Percentile

91.4%

JSON

Debian Security Advisory DSA-2528-1 [email protected]
http://www.debian.org/security/ Florian Weimer
August 14, 2012 http://www.debian.org/security/faq

Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1948 CVE-2012-1950 CVE-2012-1954 CVE-2012-1967

Several vulnerabilities were discovered in Icedove, Debian's version
of the Mozilla Thunderbird mail and news client.

CVE-2012-1948
Multiple unspecified vulnerabilities in the browser engine
were fixed.

CVE-2012-1950
The underlying browser engine allows address bar spoofing
through drag-and-drop.

CVE-2012-1954
A use-after-free vulnerability in the nsDocument::AdoptNode
function allows remote attackers to cause a denial of service
(heap memory corruption) or possibly execute arbitrary code.

CVE-2012-1967
An error in the implementation of the Javascript sandbox
allows execution of Javascript code with improper privileges
using javascript: URLs.

For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze12.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 10.0.6-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6ia64spidermonkey-bin< 1.9.1.16-17spidermonkey-bin_1.9.1.16-17_ia64.deb
Debian6alliceape-dev< 2.0.11-14iceape-dev_2.0.11-14_all.deb
Debian6i386icedove-dev< 3.0.11-1+squeeze12icedove-dev_3.0.11-1+squeeze12_i386.deb
Debian6armelxulrunner-1.9.1-dbg< 1.9.1.16-17xulrunner-1.9.1-dbg_1.9.1.16-17_armel.deb
Debian6kfreebsd-amd64xulrunner-1.9.1< 1.9.1.16-17xulrunner-1.9.1_1.9.1.16-17_kfreebsd-amd64.deb
Debian6kfreebsd-amd64iceape-browser< 2.0.11-14iceape-browser_2.0.11-14_kfreebsd-amd64.deb
Debian6armelxulrunner-dev< 1.9.1.16-17xulrunner-dev_1.9.1.16-17_armel.deb
Debian6powerpcicedove-dbg< 3.0.11-1+squeeze12icedove-dbg_3.0.11-1+squeeze12_powerpc.deb
Debian6mipselxulrunner-dev< 1.9.1.16-17xulrunner-dev_1.9.1.16-17_mipsel.deb
Debian6amd64iceweasel< 3.5.16-17iceweasel_3.5.16-17_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	ia64	spidermonkey-bin	< 1.9.1.16-17	spidermonkey-bin_1.9.1.16-17_ia64.deb
Debian	6	all	iceape-dev	< 2.0.11-14	iceape-dev_2.0.11-14_all.deb
Debian	6	i386	icedove-dev	< 3.0.11-1+squeeze12	icedove-dev_3.0.11-1+squeeze12_i386.deb
Debian	6	armel	xulrunner-1.9.1-dbg	< 1.9.1.16-17	xulrunner-1.9.1-dbg_1.9.1.16-17_armel.deb
Debian	6	kfreebsd-amd64	xulrunner-1.9.1	< 1.9.1.16-17	xulrunner-1.9.1_1.9.1.16-17_kfreebsd-amd64.deb
Debian	6	kfreebsd-amd64	iceape-browser	< 2.0.11-14	iceape-browser_2.0.11-14_kfreebsd-amd64.deb
Debian	6	armel	xulrunner-dev	< 1.9.1.16-17	xulrunner-dev_1.9.1.16-17_armel.deb
Debian	6	powerpc	icedove-dbg	< 3.0.11-1+squeeze12	icedove-dbg_3.0.11-1+squeeze12_powerpc.deb
Debian	6	mipsel	xulrunner-dev	< 1.9.1.16-17	xulrunner-dev_1.9.1.16-17_mipsel.deb
Debian	6	amd64	iceweasel	< 3.5.16-17	iceweasel_3.5.16-17_amd64.deb