9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
AI Score
Confidence
High
0.034 Low
EPSS
Percentile
91.5%
Debian Security Advisory DSA-2588-1 [email protected]
http://www.debian.org/security/
December 16, 2012 http://www.debian.org/security/faq
Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Multiple vulnerabilities have been found in Icedove, Debian's version
of the Mozilla Thunderbird mail and news client.
CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during
the handling of JavaScript code that sets the location.href
property, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or read arbitrary files by leveraging a
sandboxed add-on.
CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle
a ~ (tilde) character in proximity to a chunk delimiter, which
allows remote attackers to conduct cross-site scripting (XSS)
attacks via a crafted document.
CVE-2012-4216
Use-after-free vulnerability in the gfxFont::GetFontEntry function
allows remote attackers to execute arbitrary code or cause a denial
of service (heap memory corruption) via unspecified vectors.
CVE-2012-5829
Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
allow remote attackers to execute arbitrary code.
CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could
allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary
code.
For the stable distribution (squeeze), these problems have been fixed in
version 3.0.11-1+squeeze15.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.11-1.
We recommend that you upgrade your icedove packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | armel | xulrunner-1.9.1-dbg | < 1.9.1.16-20 | xulrunner-1.9.1-dbg_1.9.1.16-20_armel.deb |
Debian | 6 | amd64 | iceweasel | < 3.5.16-20 | iceweasel_3.5.16-20_amd64.deb |
Debian | 6 | s390 | iceweasel-dbg | < 3.5.16-20 | iceweasel-dbg_3.5.16-20_s390.deb |
Debian | 6 | s390 | libmozjs2d-dbg | < 1.9.1.16-20 | libmozjs2d-dbg_1.9.1.16-20_s390.deb |
Debian | 6 | kfreebsd-i386 | libmozjs-dev | < 1.9.1.16-20 | libmozjs-dev_1.9.1.16-20_kfreebsd-i386.deb |
Debian | 6 | armel | libmozjs2d | < 1.9.1.16-20 | libmozjs2d_1.9.1.16-20_armel.deb |
Debian | 6 | mipsel | iceape-mailnews | < 2.0.11-17 | iceape-mailnews_2.0.11-17_mipsel.deb |
Debian | 6 | kfreebsd-i386 | iceweasel-dbg | < 3.5.16-20 | iceweasel-dbg_3.5.16-20_kfreebsd-i386.deb |
Debian | 6 | amd64 | icedove-dev | < 3.0.11-1+squeeze15 | icedove-dev_3.0.11-1+squeeze15_amd64.deb |
Debian | 6 | kfreebsd-i386 | iceape-mailnews | < 2.0.11-17 | iceape-mailnews_2.0.11-17_kfreebsd-i386.deb |