-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1489-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 10, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------
Package : iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0412 CVE-2008-0413 CVE-2008-0414 CVE-2008-0415 CVE-2008-0416 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0594
Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0412
Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code.
CVE-2008-0413
Carsten Book, Wesley Garland, Igor Bukanov, "moz_bug_r_a4", "shutdown", Philip Taylor and "tgirmann" discovered crashes in the Javascript engine, which might allow the execution of arbitrary code.
CVE-2008-0414
"hong" and Gregory Fleisher discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files.
CVE-2008-0415
"moz_bug_r_a4" and Boris Zbarsky discovered discovered several vulnerabilities in Javascript handling, which could allow privilege escalation.
CVE-2008-0417
Justin Dolske discovered that the password storage machanism could be abused by malicious web sites to corrupt existing saved passwords.
CVE-2008-0418
Gerry Eisenhaur and "moz_bug_r_a4" discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure.
CVE-2008-0419
David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure or potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive dialogs (which disable dialog elements until a timeout is reached) could be bypassed by window focus changes through Javascript.
CVE-2008-0592
It was discovered that malformed content declarations of saved attachments could prevent a user in the opening local files with a ".txt" file name, resulting in minor denial of service.
CVE-2008-0593
Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure.
CVE-2008-0594
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in version 2.0.0.12-0etch1.
The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates.
We recommend that you upgrade your iceweasel packages.
Upgrade instructions - --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian 4.0 (stable) - -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
iceweasel_2.0.0.12.orig.tar.gz Size/MD5 checksum: 43522779 34cb9e2038afa635dac9319a0f113be8 iceweasel_2.0.0.12-0etch1.dsc Size/MD5 checksum: 1289 568c8d5661721888aa75724f4ec76cf9 iceweasel_2.0.0.12-0etch1.diff.gz Size/MD5 checksum: 186174 96e7907d265cdf00b81785db4e2ab6c4
Architecture independent packages:
firefox_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54290 97f40d39e73fba4b90c79a514ab89f18 firefox-gnome-support_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54146 ef3dbcc83837bc5c86ecdb3295716e23 mozilla-firefox-dom-inspector_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54026 91815e0777f6249b4ba95bbeb38cee0c firefox-dom-inspector_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54176 1b7640fa33604225b347b8fd368163a0 mozilla-firefox_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54816 97db059f2fc4f52bd4d2389f724e8378 mozilla-firefox-gnome-support_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 54026 969ad8b6ed5b8b0dea8cd5d3414c1485 iceweasel-dom-inspector_2.0.0.12-0etch1_all.deb Size/MD5 checksum: 239356 4309e0a07163450b9d7ce65103b39b80
alpha architecture (DEC Alpha)
iceweasel-gnome-support_2.0.0.12-0etch1_alpha.deb Size/MD5 checksum: 90934 5e1bdb44f0484fd2111a1541276b99dd iceweasel-dbg_2.0.0.12-0etch1_alpha.deb Size/MD5 checksum: 51062530 72e80dbe1969eae96b4d9ed57aa89122 iceweasel_2.0.0.12-0etch1_alpha.deb Size/MD5 checksum: 11553820 0cea194c903903bb98b53cc349b89dbf
amd64 architecture (AMD x86_64 (AMD64))
iceweasel-dbg_2.0.0.12-0etch1_amd64.deb Size/MD5 checksum: 50060784 8639ed04300fac0705c47c27338fdfbb iceweasel-gnome-support_2.0.0.12-0etch1_amd64.deb Size/MD5 checksum: 87564 79c23f813fc543121275f4a974833c82 iceweasel_2.0.0.12-0etch1_amd64.deb Size/MD5 checksum: 10182710 bb8bbff82040dc0c04e98ac477a5a691
hppa architecture (HP PA RISC)
iceweasel-gnome-support_2.0.0.12-0etch1_hppa.deb Size/MD5 checksum: 89302 2867a60e5385e94188bf66f38f992a29 iceweasel_2.0.0.12-0etch1_hppa.deb Size/MD5 checksum: 11031094 f5926d349e00706a548fdb4f6c02dbac iceweasel-dbg_2.0.0.12-0etch1_hppa.deb Size/MD5 checksum: 50426978 4228e87f68b21f2627069a320603263d
i386 architecture (Intel ia32)
iceweasel_2.0.0.12-0etch1_i386.deb Size/MD5 checksum: 9096292 1c535164988178a3d6b889f9d44f31e8 iceweasel-gnome-support_2.0.0.12-0etch1_i386.deb Size/MD5 checksum: 81706 a7ca2818a1d14730077724e3acaf615f iceweasel-dbg_2.0.0.12-0etch1_i386.deb Size/MD5 checksum: 49451404 3525c3b01dd1142815513cc0d390493f
ia64 architecture (Intel ia64)
iceweasel_2.0.0.12-0etch1_ia64.deb Size/MD5 checksum: 14120046 8d6c6253c001988251523976eee216a1 iceweasel-gnome-support_2.0.0.12-0etch1_ia64.deb Size/MD5 checksum: 99914 3a4bd7bd5ab87d20bbf5a962411ae4fa iceweasel-dbg_2.0.0.12-0etch1_ia64.deb Size/MD5 checksum: 50400330 dfa48b54a479b7f305c899bc3f395f92
mips architecture (MIPS (Big Endian))
iceweasel-dbg_2.0.0.12-0etch1_mips.deb Size/MD5 checksum: 53844792 613a7bc03c43510bcb09e09d33bce694 iceweasel-gnome-support_2.0.0.12-0etch1_mips.deb Size/MD5 checksum: 82810 e673433c89d7a74e95b86ed1a264fa5b iceweasel_2.0.0.12-0etch1_mips.deb Size/MD5 checksum: 11038906 5f60ab9a24ad69a5b8c17ef69f31ef83
mipsel architecture (MIPS (Little Endian))
iceweasel-gnome-support_2.0.0.12-0etch1_mipsel.deb Size/MD5 checksum: 82872 e9fcd10390f6241f8ddc9c996807afe0 iceweasel_2.0.0.12-0etch1_mipsel.deb Size/MD5 checksum: 10735706 dcc381a4d6a0d26a0d69afb0696955db iceweasel-dbg_2.0.0.12-0etch1_mipsel.deb Size/MD5 checksum: 52399756 ffa41f602d079d778355e5a4a7cbde18
powerpc architecture (PowerPC)
iceweasel_2.0.0.12-0etch1_powerpc.deb Size/MD5 checksum: 9913630 75da2ef9f6915fc6961cc56755f6b8fb iceweasel-gnome-support_2.0.0.12-0etch1_powerpc.deb Size/MD5 checksum: 83434 0b65d7b061d42bfb5ae48c9fb2f65e05 iceweasel-dbg_2.0.0.12-0etch1_powerpc.deb Size/MD5 checksum: 51852988 59f76c278e30b86d7e3caaab603d774e
s390 architecture (IBM S/390)
iceweasel-gnome-support_2.0.0.12-0etch1_s390.deb Size/MD5 checksum: 87788 6cc1b69d90583e765b1f54bdd8ec88a4 iceweasel_2.0.0.12-0etch1_s390.deb Size/MD5 checksum: 10339140 dd605f3c893a9fd281ee68c940faaea7 iceweasel-dbg_2.0.0.12-0etch1_s390.deb Size/MD5 checksum: 50726238 fdc527fd80bb0383ea8ef02dca684f16
sparc architecture (Sun SPARC/UltraSPARC)
iceweasel-gnome-support_2.0.0.12-0etch1_sparc.deb Size/MD5 checksum: 81548 f4e489f39594fda6a3a3498aea9bd986 iceweasel_2.0.0.12-0etch1_sparc.deb Size/MD5 checksum: 9122208 28632988671ede31388d9caa46a5cfe9 iceweasel-dbg_2.0.0.12-0etch1_sparc.deb Size/MD5 checksum: 49060394 1008a6ee3a9f8a3b6e46b766e62af10a
These files will probably be moved into the stable distribution on its next update.
- --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-securitydists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHr2JkXm3vHE4uyloRAhzrAKDV6FwWWT6zbc76/ZDibTDSmd13mQCfegas oCcPvP3xPzO1cIgOX25gUi0= =5KCZ -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|