1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2317-1] icedove security update

    From Moritz Muehlenhoff@1:229/2 to All on Wed Oct 5 22:40:01 2011
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2317-1 [email protected] http://www.debian.org/security/ Moritz Muehlenhoff October 05, 2011 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : icedove
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-2372 CVE-2011-2995 CVE-2011-2998 CVE-2011-2999
    CVE-2011-3000

    CVE-2011-2372

    Mariusz Mlynski discovered that websites could open a download
    dialog - which has "open" as the default action -, while a user
    presses the ENTER key.

    CVE-2011-2995

    Benjamin Smedberg, Bob Clary and Jesse Ruderman discovered crashes
    in the rendering engine, which could lead to the execution of
    arbitrary code.

    CVE-2011-2998

    Mark Kaplan discovered an integer underflow in the javascript
    engine, which could lead to the execution of arbitrary code.

    CVE-2011-2999

    Boris Zbarsky discovered that incorrect handling of the
    window.location object could lead to bypasses of the same-origin
    policy.

    CVE-2011-3000

    Ian Graham discovered that multiple Location headers might lead to
    CRLF injection.

    As indicated in the Lenny (oldstable) release notes, security support for
    the Icedove packages in the oldstable needed to be stopped before the end
    of the regular Lenny security maintenance life cycle.
    You are strongly encouraged to upgrade to stable or switch to a different
    mail client.

    For the stable distribution (squeeze), this problem has been fixed in
    version 3.0.11-1+squeeze5.

    For the unstable distribution (sid), this problem has been fixed in
    version 3.1.15-1.

    We recommend that you upgrade your icedove packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

    iEYEARECAAYFAk6Mu3QACgkQXm3vHE4uylrwhwCfc/fF22rM86AEyyEQGGkszEK3 fG4AoMk40i/NXY3FebVHE1oAD+r51Lda
    =JSWD
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)