Home / vulnerabilitiesPDF  

dsa-1534-2.txt

Posted on 25 April 2008
Source : packetstormsecurity.org Link

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1534-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 24, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235
CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240
CVE-2008-1241

A regression in mailnews handling has been fixed. For reference the
original advisory text below:

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4879

Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.

CVE-2008-1233

"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.

CVE-2008-1234

"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.

CVE-2008-1235

Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
scripting and the execution of arbitrary code.

CVE-2008-1236

Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.

CVE-2008-1237

"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.

CVE-2008-1238

Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.

CVE-2008-1241

Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.

For the stable distribution (etch), these problems have been fixed in
version 1.0.13~pre080323b-0etch2.

We recommend that you upgrade your iceape packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2.diff.gz
Size/MD5 checksum: 270431 fc94cccf043f45b5bd2f1ea2d6b9b225
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2.dsc
Size/MD5 checksum: 1439 3a1c421b0d61223760b7724dcf7ff6d9
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b.orig.tar.gz
Size/MD5 checksum: 42900009 f2a3c50d814f6e7015f779b10494fac8

Architecture independent packages:

http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 28532 87c74c4e89522054101318d3a6aaaef9
http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27594 5795424a813f6d765400d27852161904
http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27568 7b63ae9c6c56a43ae9db63e2f4c0ff85
http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27576 a3cb70fb2e4811959f447c35effd3dcc
http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 3928614 14cc24bbe9b509d69db0a20ccc1de079
http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27558 bde53046463a722d1831cb45a59bb3cf
http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27560 62b1ef313aa14596c934a8121eb412c2
http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 282312 6df637681e0a66b1bf68833b347b2124
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 28966 549dc26dd898c58013aeb624098d5db1
http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27582 9c5919265f60ed5ba60075bc9b5102dc
http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27596 9aa97c6c5f94155ec3e8d36c2414fd1d
http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080323b-0etch2_all.deb
Size/MD5 checksum: 27694 c2a812caa94a72724bb98ec8cfc93249

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 12886108 2d9a38d95503842a3832aed859f0f80a
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 2281642 791f3a80ebdb173c2f9d0ff152f976c9
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 627482 5729fa2e2f72dfa803e37a99b461417b
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 54972 11524f4ed3875809260eac9a6c0325a0
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 60658744 e56cb39f56de70aaf7a201b0e13d309a
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_alpha.deb
Size/MD5 checksum: 199028 8d154e497acf9e7796390f2b1c1501dd

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 59663026 37829add13c621e391eb2c6c9e047ca7
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 2099876 895840b306a190900c44dc4088961c50
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 11692150 69a227342b3e5d563a716149eadfc7ca
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 53740 d716f72d98622c3c97a679705426c2d5
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 195436 c5838a1fcb25f0588abed9da193c06ce
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_amd64.deb
Size/MD5 checksum: 614236 0483f95d4be4d1a5b359a3864bc466f4

arm architecture (ARM)

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 586622 65a7a73dc018e2c1c77c26a412510e7d
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 58798986 33ad7943133f5f00672dcdeaa245f057
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 10426214 24dbab44f5ab57bccd1a0bfbb0f17680
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 187090 57015ccb41fa214c46cd79b696d14198
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 47796 e0c6b965e643018af3abb27d41a01c38
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_arm.deb
Size/MD5 checksum: 1916922 36584dddf43f46a70412fe794991d07e

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 55158 0f80d4449589b0b77c8ef469ed9c2102
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 619606 4ac9462c322063202406f20eb08b6adb
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 198562 7dcaaf89e91e427acefa886275f2606c
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 12991842 40dbc4f08611a986d30c358b4c442cab
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 2349778 0400cc18d7078e6a5c9d675cc5ec935d
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_hppa.deb
Size/MD5 checksum: 60520824 a501cd292183eb7a909cdc481302cc9d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 1891942 8b55f7fffc8dda99a78c8deb587b3601
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 48796 920f9ba79b92a527149a3f8e3ca9e80f
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 58740626 87ac20b038ce496fe0dec8fc78f8fb66
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 190146 7d2da0e3a0a4291f5a78da36e4d91758
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 589368 c07d98219b6c237b4ecdc8cc24dde349
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_i386.deb
Size/MD5 checksum: 10480450 b302009b8337411c5b1cc59a394249a9

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 62286 ae7ef14b5c6bc27032715154c3b830d1
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 205078 7ffa6a5b770b336fe224c9c659e22236
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 2817294 c1330dea34afd59505ba68496dfc9de0
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 59920064 1e9f504516f7e024e3aa7df03b7859c4
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 15794360 5a0009de6fe96fd8745b6d1da4f57512
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_ia64.deb
Size/MD5 checksum: 662296 a147dba65a655f2ffc4bc2dba80d062a

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 11157426 2894d4aa411f541d24321e7cfc8c40dc
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 1959586 8245d1d89e210dc64822059177c60935
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 191382 993aa97774959191af28842e469ee122
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 50272 71182383f85762af687451ac3ef38824
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 599816 32d92af3b4068d460b27aea4a2941ef5
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_mips.deb
Size/MD5 checksum: 61513408 ddaa38162de39210cf0372b66d277afd

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 10910758 dc4b71d0b3b3877411f1d6434152ae60
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 191610 9829f7d8bf6d3057b575f44f2e42d7ba
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 596352 1fbd24b1af0f0a8f09fa6caabd05f9d1
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 50114 5321e20192aba965da843116d5198a81
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 59864402 a591a34d73e69d6f8ba4985f7398cb60
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_mipsel.deb
Size/MD5 checksum: 1942674 7e8584f9c790ab330d760e0589a8a657

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 596578 8ca91ddc369b7c2ef83d0cd1596cd644
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 192394 87211ca1331a30d20a2c899ce647cfc2
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 49580 f483e34bfbe4f072ba48fe4467c6d9eb
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 2006802 cd1f36cb35b56996ed18ccc2bce77769
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 61653704 d6a8402134109d8aa8d086f5a014e180
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_powerpc.deb
Size/MD5 checksum: 11310660 d7775c0b98494daec085df09bdbc87c8

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 197250 556af0df979862515c7a58f9b823cec7
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 54332 ef3f1234a167fa3056075501d4ab7ccb
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 612090 5b6a56753f5a39caa9336a9dd5e6f67c
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 2186154 c106802c2fbf29e99beb440ade898d06
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 60408796 7169c59d6b3ea8758e6ca752a44b537d
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_s390.deb
Size/MD5 checksum: 12288118 e54834b616bba85af29add06b7c18be7

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 585692 caea96e57a9283b7978ad15fcc6a378c
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 1896400 609528b7ee5eb3ca761853daf8a5f619
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 10659906 27159c6c7c281cbf50e8b6f8bcb9164a
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 58546410 4d394093ea9de39766982f3047fd3f9b
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 190044 f0a2981d7f48f1c8e3cec1fb9b9ec6ed
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_sparc.deb
Size/MD5 checksum: 48396 ad3f586fd1c9f3239fa1a587fcc1603e

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: 'apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIEPUuXm3vHE4uyloRAn/NAJ4m6N2wWgtvotnez1lFkx9c5xVanwCeI2Jr
+wpqOPXsRIidIZmukYfs3Y8=
=Gtpv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

TOP