Articles / Debian: Security update for...

Debian: Security update for Icedove

Several vulnerabilities were discovered in Icedove, Debian’s version of the Mozilla Thunderbird mail and news client. Multiple unspecified vulnerabilities in the browser engine were fixed. The underlying browser engine allows address bar spoofing through drag-and-drop. A use-after-free vulnerability in the nsDocument::AdoptNode function allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code.

An error in the implementation of the Javascript sandbox allows execution of Javascript code with improper privileges using javascript: URLs.

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2528-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
August 14, 2012                        http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1948 CVE-2012-1950 CVE-2012-1954 CVE-2012-1967

Several vulnerabilities were discovered in Icedove, Debian's version
of the Mozilla Thunderbird mail and news client.

CVE-2012-1948
  Multiple unspecified vulnerabilities in the browser engine
  were fixed.

CVE-2012-1950
  The underlying browser engine allows address bar spoofing 
  through drag-and-drop.

CVE-2012-1954
  A use-after-free vulnerability in the nsDocument::AdoptNode
  function allows remote attackers to cause a denial of service
  (heap memory corruption) or possibly execute arbitrary code.

CVE-2012-1967
  An error in the implementation of the Javascript sandbox
  allows execution of Javascript code with improper privileges
  using javascript: URLs.

For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze12.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 10.0.6-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQKqbqAAoJEL97/wQC1SS+IQcIAJ0R0R+4/gPgPwcco+U81PUr
uehr4v0uAiSMuwXqC9NwR1l27AmmT/0S6fqRY7YB1hFxg6IeZPx73594yQsFsqAx
6kHFwfO/YIBLh9HFgQWwCwpl5OJ3VNiST87loMSiPgr57TXpNMGHNRU5MEGomrc4
wX0dpAJgnaI1dLMZn17fguf1ejzXJ6zcejNMpNJEFNbR/10Qi5lpWeE0n8RhfsyQ
9X0RSHGKypXz3hLpio9zuuKoUOvP/8hJ2/S61vqGBh1aOP3JjNdg5rUWVpXS/Szv
2EtOBWWK7zazwrgvaOywYv9Ju52X8B64jYLwtMaBpMVdfJX4WbbtsXt5ZGWzza0=
=tukJ
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

SHA_HTTP_Auth

A Mod_Perl HTTP Authentication module using salted SHA2.

Screenshot

Project Spotlight

giflib

A library that decodes and encodes GIF image files.