From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1621-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff
July 27, 2008
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-0304 CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2802 CVE-2008-2803 CVE-2008-2807 CVE-2008-2809 CVE-2008-2811
Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2008-0304
It was discovered that a buffer overflow in MIME decoding can lead
to the execution of arbitrary code.
CVE-2008-2785
It was discovered that missing boundary checks on a reference
counter for CSS objects can lead to the execution of arbitrary code.
CVE-2008-2798
Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.
CVE-2008-2799
Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary code.
CVE-2008-2802
"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.
CVE-2008-2803
"moz_bug_r_a4" discovered that missing input sanitising in the
mozIJSSubScriptLoader.loadSubScript() function could lead to the
execution of arbitrary code. Iceweasel itself is not affected, but
some addons are.
CVE-2008-2807
Daniel Glazman discovered that a programming error in the code for
parsing .properties files could lead to memory content being
exposed to addons, which could lead to information disclosure.
CVE-2008-2809
John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
alternate names on self-signed certificates were handled
insufficiently, which could lead to spoofings secure connections.
CVE-2008-2811
Greg McManus discovered discovered a crash in the block reflow
code, which might allow the execution of arbitrary code.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1. Packages for
s390 are not yet available and will be provided later.
For the unstable distribution (sid), these problems have been fixed in
version 2.0.0.16-1.
We recommend that you upgrade your icedove package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1.dsc
Size/MD5 checksum: 1982 f3c2c78e178cc5d918727b6a9f4ca9fb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d.orig.tar.gz
Size/MD5 checksum: 34581452 4fb6289f43f89b04e5eda6844ae6c988
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1.diff.gz
Size/MD5 checksum: 640682 66921d4b0aee62189770d0b1d9a27be3
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29552 463f08cd0992af2e5f5226983533ad1c
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29562 d19102f43c4938d796969c34952c0259
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29560 75f70ee24e4fc0a2573151f80545f523
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29546 afb54879e2c649e70328fe8096593197
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29560 004cb74dea9c951be193df990c49f4be
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29532 27605ca5220ba1fcc72392e6f1dc2387
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29556 8b55d0217a91ea8a4687f904ca799fa9
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29540 14fdb36a83b334276d25b72052d57508
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29538 34727cf9881337c6008ef858a694435c
http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
Size/MD5 checksum: 29518 943247aaa34c1ee99d978da3dd808a87
alpha architecture (DEC Alpha)
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)