From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1607-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff
July 11, 2008
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : iceweasel
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811
Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-2798
Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.
CVE-2008-2799
Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary code.
CVE-2008-2800
"moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.
CVE-2008-2801
Collin Jackson and Adam Barth discovered that Javascript code
could be executed in the context or signed JAR archives.
CVE-2008-2802
"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.
CVE-2008-2803
"moz_bug_r_a4" discovered that missing input sanitising in the
mozIJSSubScriptLoader.loadSubScript() function could lead to the
execution of arbitrary code. Iceweasel itself is not affected, but
some addons are.
CVE-2008-2805
Claudio Santambrogio discovered that missing access validation in
DOM parsing allows malicious web sites to force the browser to
upload local files to the server, which could lead to information
disclosure.
CVE-2008-2807
Daniel Glazman discovered that a programming error in the code for
parsing .properties files could lead to memory content being
exposed to addons, which could lead to information disclosure.
CVE-2008-2808
Masahiro Yamada discovered that file URLS in directory listings
were insufficiently escaped.
CVE-2008-2809
John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
alternate names on self-signed certificates were handled
insufficiently, which could lead to spoofings secure connections.
CVE-2008-2811
Greg McManus discovered discovered a crash in the block reflow
code, which might allow the execution of arbitrary code.
For the stable distribution (etch), these problems have been fixed in
version 2.0.0.15-0etch1.
Iceweasel from the unstable distribution (sid) links dynamically
against the xulrunner library.
We recommend that you upgrade your iceweasel package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15.orig.tar.gz
Size/MD5 checksum: 47244449 4fb7fdf128d5c8ce5e880510e58f5cfa
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1.dsc
Size/MD5 checksum: 1289 f29a9bb4fd9f71d203de489050e1f5f5
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1.diff.gz
Size/MD5 checksum: 186551 355acbaea7631bbfa0a1013902a7c82a
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 55052 f166a298b2e71f4e478c01dc99e9601f
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 239592 281c8418a4d86ab976acf4fd65033606
http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 54520 283777c2a1be7e90d85e7f900c085f40
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 54262 06e72fcbbe44c5d4125137786dfb8011
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 54260 cb6f4ccf969394a3f5b650fb0f8de834
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 54376 fe9ef4ef5de1b277d8a532aeaaaf5581
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.15-0etch1_all.deb
Size/MD5 checksum: 54412 2728ff70a7e5051d7dc5bb424ca17a79
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_amd64.deb
Size/MD5 checksum: 50156300 9ab61c77c9b1bb6af19448d2300b3277
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_amd64.deb
Size/MD5 checksum: 87772 a3c3f310edeba4b18dfbb8880c8d76f9
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_amd64.deb
Size/MD5 checksum: 10202026 6017a343bcee74e5922218b25b00a9d9
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_hppa.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)