9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
AI Score
Confidence
High
0.034 Low
EPSS
Percentile
91.5%
Debian Security Advisory DSA-2583-1 [email protected]
http://www.debian.org/security/ Yves-Alexis Perez
December 08, 2012 http://www.debian.org/security/faq
Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Debian Bug :
Multiple vulnerabilities have been found in Iceweasel, the Debian web browser
based on Mozilla Firefox:
CVE-2012-5829
Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
allow remote attackers to execute arbitrary code.
CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could allow remote
attackers to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code.
CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle a ~
(tilde) character in proximity to a chunk delimiter, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via a crafted
document.
CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during the
handling of JavaScript code that sets the location.href property, which
allows remote attackers to conduct cross-site scripting (XSS) attacks or read
arbitrary files by leveraging a sandboxed add-on.
CVE-2012-4216
Use-after-free vulnerability in the gfxFont::GetFontEntry function allows
remote attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via unspecified vectors.
For the stable distribution (squeeze), these problems have been fixed in
version 3.5.16-20.
For the testing distribution (wheezy), these problems have been fixed in
version 10.0.11esr-1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.11esr-1.
We recommend that you upgrade your iceweasel packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | armel | xulrunner-1.9.1-dbg | < 1.9.1.16-20 | xulrunner-1.9.1-dbg_1.9.1.16-20_armel.deb |
Debian | 6 | amd64 | iceweasel | < 3.5.16-20 | iceweasel_3.5.16-20_amd64.deb |
Debian | 6 | s390 | iceweasel-dbg | < 3.5.16-20 | iceweasel-dbg_3.5.16-20_s390.deb |
Debian | 6 | s390 | libmozjs2d-dbg | < 1.9.1.16-20 | libmozjs2d-dbg_1.9.1.16-20_s390.deb |
Debian | 6 | kfreebsd-i386 | libmozjs-dev | < 1.9.1.16-20 | libmozjs-dev_1.9.1.16-20_kfreebsd-i386.deb |
Debian | 6 | armel | libmozjs2d | < 1.9.1.16-20 | libmozjs2d_1.9.1.16-20_armel.deb |
Debian | 6 | mipsel | iceape-mailnews | < 2.0.11-17 | iceape-mailnews_2.0.11-17_mipsel.deb |
Debian | 6 | kfreebsd-i386 | iceweasel-dbg | < 3.5.16-20 | iceweasel-dbg_3.5.16-20_kfreebsd-i386.deb |
Debian | 6 | amd64 | icedove-dev | < 3.0.11-1+squeeze15 | icedove-dev_3.0.11-1+squeeze15_amd64.deb |
Debian | 6 | kfreebsd-i386 | iceape-mailnews | < 2.0.11-17 | iceape-mailnews_2.0.11-17_kfreebsd-i386.deb |