Articles / Debian: Security update for…

Debian: Security update for Icedove

Several vulnerabilities have been discovered in Icedove, Debian’s variant of the Mozilla Thunderbird code base. Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code. Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.

Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2406-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
February 09, 2012                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449

Several vulnerabilities have been discovered in Icedove, Debian's
variant of the Mozilla Thunderbird code base.

CVE-2011-3670
  Icedove does not not properly enforce the IPv6 literal address
  syntax, which allows remote attackers to obtain sensitive
  information by making XMLHttpRequest calls through a proxy and
  reading the error messages.

CVE-2012-0442
  Memory corruption bugs could cause Icedove to crash or
  possibly execute arbitrary code.

CVE-2012-0444
  Icedove does not properly initialize nsChildView data
  structures, which allows remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly
  execute arbitrary code via a crafted Ogg Vorbis file.

CVE-2012-0449
  Icedove allows remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute
  arbitrary code via a malformed XSLT stylesheet that is
  embedded in a document

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.11-1+squeeze7.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJPM7PyAAoJEL97/wQC1SS+46QH/0NkqnkfapTtEUKV71mvSufA
KSjeYaZqowMJtM1JQcuGdcGQifTeOoXqfm9lBCyXOpoxgGS5ltqOTYkbYRT+2XNr
+sw6SbMA+X5N3+gHIpeuZtDgEqT3hZWlyxoB83LarvVoQfxU+43jfjeR3d4GPNQe
kL0H40v3mt7WneVOdrk+N1LUlqO/EY1KK7lStXhyjSGShTQqOTrWzUXcogKBDcY9
DFT9bR3jKKjPXYKHr1kc4/mEUSGsJ9XHxm0nEAGiXEV6Np+6owB54ANb4BoLV3ON
ZXpYglfqw44ikYi+wDGaPsq91ofmIwb7eqiAadQPBMZTmjUM3BMLKLvumrp1CBY=
=KEq1
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.