1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2406-1] icedove security update

    From Florian Weimer@1:229/2 to All on Thu Feb 9 13:10:02 2012
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2406-1 [email protected] http://www.debian.org/security/ Florian Weimer February 09, 2012 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : icedove
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449

    Several vulnerabilities have been discovered in Icedove, Debian's
    variant of the Mozilla Thunderbird code base.

    CVE-2011-3670
    Icedove does not not properly enforce the IPv6 literal address
    syntax, which allows remote attackers to obtain sensitive
    information by making XMLHttpRequest calls through a proxy and
    reading the error messages.

    CVE-2012-0442
    Memory corruption bugs could cause Icedove to crash or
    possibly execute arbitrary code.

    CVE-2012-0444
    Icedove does not properly initialize nsChildView data
    structures, which allows remote attackers to cause a denial of
    service (memory corruption and application crash) or possibly
    execute arbitrary code via a crafted Ogg Vorbis file.

    CVE-2012-0449
    Icedove allows remote attackers to cause a denial of service
    (memory corruption and application crash) or possibly execute
    arbitrary code via a malformed XSLT stylesheet that is
    embedded in a document

    For the stable distribution (squeeze), this problem has been fixed in
    version 3.0.11-1+squeeze7.

    We recommend that you upgrade your icedove packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iQEcBAEBAgAGBQJPM7PyAAoJEL97/wQC1SS+46QH/0NkqnkfapTtEUKV71mvSufA KSjeYaZqowMJtM1JQcuGdcGQifTeOoXqfm9lBCyXOpoxgGS5ltqOTYkbYRT+2XNr +sw6SbMA+X5N3+gHIpeuZtDgEqT3hZWlyxoB83LarvVoQfxU+43jfjeR3d4GPNQe kL0H40v3mt7WneVOdrk+N1LUlqO/EY1KK7lStXhyjSGShTQqOTrWzUXcogKBDcY9 DFT9bR3jKKjPXYKHr1kc4/mEUSGsJ9XHxm0nEAGiXEV6Np+6owB54ANb4BoLV3ON ZXpYglfqw44ikYi+wDGaPsq91ofmIwb7eqiAadQPBMZTmjUM3BMLKLvumrp1CBY=
    =KEq1
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)