iceweasel - several vulnerabilities

Several remote vulnerabilities have been discovered in the Iceweasel web
browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:

• CVE-2008-0016
  Justin Schuh, Tom Cross and Peter Williams discovered a buffer
  overflow in the parser for UTF-8 URLs, which may lead to the
  execution of arbitrary code.
• CVE-2008-3835
  moz_bug_r_a4 discovered that the same-origin check in
  nsXMLDocument::OnChannelRedirect() could by bypassed.
• CVE-2008-3836
  moz_bug_r_a4 discovered that several vulnerabilities in
  feedWriter could lead to Chrome privilege escalation.
• CVE-2008-3837
  Paul Nickerson discovered that an attacker could move windows
  during a mouse click, resulting in unwanted action triggered by
  drag-and-drop.
• CVE-2008-4058
  moz_bug_r_a4 discovered a vulnerability which can result in
  Chrome privilege escalation through XPCNativeWrappers.
• CVE-2008-4059
  moz_bug_r_a4 discovered a vulnerability which can result in
  Chrome privilege escalation through XPCNativeWrappers.
• CVE-2008-4060
  Olli Pettay and moz_bug_r_a4 discovered a Chrome privilege
  escalation vulnerability in XSLT handling.
• CVE-2008-4061
  Jesse Ruderman discovered a crash in the layout engine, which might
  allow the execution of arbitrary code.
• CVE-2008-4062
  Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour
  discovered crashes in the Javascript engine, which might allow the
  execution of arbitrary code.
• CVE-2008-4065
  Dave Reed discovered that some Unicode byte order marks are
  stripped from Javascript code before execution, which can result in
  code being executed, which were otherwise part of a quoted string.
• CVE-2008-4066
  Gareth Heyes discovered that some Unicode surrogate characters are
  ignored by the HTML parser.
• CVE-2008-4067
  Boris Zbarsky discovered that resource: URLs allow directory
  traversal when using URL-encoded slashes.
• CVE-2008-4068
  Georgi Guninski discovered that resource: URLs could bypass local
  access restrictions.
• CVE-2008-4069
  Billy Hoffman discovered that the XBM decoder could reveal
  uninitialised memory.

For the stable distribution (etch), these problems have been fixed in
version 2.0.0.17-0etch1. Packages for hppa will be provided later.

For the unstable distribution (sid), these problems have been fixed in
version 3.0.3 of iceweasel and 1.9.0.3-1 of xulrunner.

We recommend that you upgrade your iceweasel packages.