From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1671-1
[email protected] http://www.debian.org/security/ Moritz Muehlenhoff November 24, 2008
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-0017 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024
Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0017
Justin Schuh discovered that a buffer overflow in the http-index-format
parser could lead to arbitrary code execution.
CVE-2008-4582
Liu Die Yu discovered an information leak through local shortcut
files.
CVE-2008-5012
Georgi Guninski, Michal Zalewski and Chris Evan discovered that
the canvas element could be used to bypass same-origin
restrictions.
CVE-2008-5013
It was discovered that insufficient checks in the Flash plugin glue
code could lead to arbitrary code execution.
CVE-2008-5014
Jesse Ruderman discovered that a programming error in the
window.__proto__.__proto__ object could lead to arbitrary code
execution.
CVE-2008-5017
It was discovered that crashes in the layout engine could lead to
arbitrary code execution.
CVE-2008-5018
It was discovered that crashes in the Javascript engine could lead to
arbitrary code execution.
CVE-2008-5021
It was discovered that a crash in the nsFrameManager might lead to
the execution of arbitrary code.
CVE-2008-5022
"moz_bug_r_a4" discovered that the same-origin check in
nsXMLHttpRequest::NotifyEventListeners() could be bypassed.
CVE-2008-5023
Collin Jackson discovered that the -moz-binding property bypasses
security checks on codebase principals.
CVE-2008-5024
Chris Evans discovered that quote characters were improperly
escaped in the default namespace of E4X documents.
For the stable distribution (etch), these problems have been fixed in
version 2.0.0.18-0etch1.
For the upcoming stable distribution (lenny) and the unstable distribution (sid), these problems have been fixed in version 3.0.4-1 of iceweasel
and version 1.9.0.4-1 of xulrunner. Packages for arm and mips will be
provided soon.
We recommend that you upgrade your iceweasel package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.diff.gz
Size/MD5 checksum: 186777 18d2492164c72b846fab74bd75a69e1b
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18.orig.tar.gz
Size/MD5 checksum: 47266681 ad1a208d95dedeafddbe7377de88d4d9
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.dsc
Size/MD5 checksum: 1289 84983c4e7f053c1f0eb3ea3d154bc6ad
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 54478 73ed36d6990d6b86e8fccef00a9029b1
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 54626 bcc4bd1443fe23e5311396949bac9f32
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 54596 62200645f81cd0e505fd40382333d010
http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 54742 045a9714ca0a04061cee79bc16b4b940
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 55274 09fdae147e16b09ad51544ab1fd218e6
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 239810 beeee1e8cab02ec9a70d89df8db4610b
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
Size/MD5 checksum: 54480 15636d866284ca7caf11bd939792df97
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_alpha.deb
Size/MD5 checksum: 11587524 82c7dae5efa5f21333843c5204036f9d
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_alpha.deb
Size/MD5 checksum: 51194740 8a6f236c8bef5e6b0b16df05a7fd866d
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_alpha.deb
Size/MD5 checksum: 90332 8791b1fcc9a3bbfcaac993d65b1b77cd
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
Size/MD5 checksum: 88014 4e4a404cb859067e8804b793b06b1a5a
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
Size/MD5 checksum: 50189682 3fe64a570e13497a49ac77972ead0ac0
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_amd64.deb
Size/MD5 checksum: 10213098 a38d4ae01ab60abab641411ee7aedba1
hppa architecture (HP PA RISC)
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)