-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1391-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff October 19th, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : icedove Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3734 CVE-2007-3735 CVE-2007-3844 CVE-2007-3845 CVE-2007-5339 CVE-2007-5340 Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3734 Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson and Vladimir Sukhoy discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2007-3735 Asaf Romano, Jesse Ruderman and Igor Bukanov discovered crashes in the javascript engine, which might allow the execution of arbitrary code. CVE-2007-3844 "moz_bug_r_a4" discovered that a regression in the handling of "about:blank" windows used by addons may lead to an attacker being able to modify the content of web sites. CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page. CVE-2007-5339 L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay, Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2007-5340 Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Generally, enabling Javascript in Icedove is not recommended. The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates. For the stable distribution (etch) these problems have been fixed in version 1.5.0.13+1.5.0.14b.dfsg1-0etch1. Builds for hppa will be provided later. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your icedove packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1.dsc Size/MD5 checksum: 1934 5037f765746ad92c73e0e95ab4988272 http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1.diff.gz Size/MD5 checksum: 639834 43c96d5fcdf34ebb5c069dc4378a965b http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1.orig.tar.gz Size/MD5 checksum: 34229032 9cc1dca6142d6b1044e78026b53968c1 Architecture independent components: http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28682 b7f1a7e3ea1149a9767539be1c19acbb http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28694 53bb2afe9384039094219bb14da3727a http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28698 6df3bdfb10692d1057b64c49c8f93a5a http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28670 7d12e5160a91e489bc481c5a05024776 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28668 d0a07a5a35dda48ed3a521596ec3b620 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28674 96dc6c4e9629612f7f7fa5ba8276bb4e http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28684 2195e5213a818c01569199922f943178 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28678 eadcb03b9cf28fdad9e0555e83c697a6 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28696 b0c1366f5a530674ec66b578db206bde http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb Size/MD5 checksum: 28654 2090a750ed666d208905b82d684668d3 Alpha architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 13477820 f3a6a6e49d63ff96469075b51ec00e53 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 52380964 ba66fa325d9ee5a81a41bf475c4dca6e http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 3958088 b590d691047b14234e06d86b2d499b8b http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 52226 f87b9fc43fe204e7601f04af40f74a65 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 200550 4efd9b2fac6f4ded2b6a77ef4c836508 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 64440 fac79a2479f022d8360f4546f3eee0c2 AMD64 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 12169764 dfc903a949bba53bd63f40fdc184e8e3 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 51475050 acef2a67aed70c9600d94b57863b77b7 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 3676870 e76acc39db8446c406acca7887be7f43 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 52070 4da21cca0d9fcb2194c0c87af58a0a47 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 195718 24993c2fe872d47802ffb85aa216c3c1 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 61152 daeca534072d6b581b8dda7157944925 ARM architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 10887054 e17f25f197173789364e181a6cd23f61 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 50827196 5d86bfb3dcebd97ac8182e0e3f95d1e2 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 3919820 d442262ccc5a44cbcd7a5f64fe8eb37b http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 47176 64c99299d7fc3a683b421a8dc5d1f02a http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 189960 b83f0f0fc068e98964629cc9e5abe4ec http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb Size/MD5 checksum: 58784 3dbf10421174d1ca69ac3ff1dc792913 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 10907250 1199372b7db30d88866d8593ab623fa4 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 50727826 05b724998e5ad5ab979f1f617133677f http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 3673196 0081310d1c9e694b66e76d61c1991ba9 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 47998 fecad4abe4563d7ef3cb1241237cc48f http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 190752 a04352a82bdd8b1e44d893e52e2c8f78 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb Size/MD5 checksum: 58096 605dadf61f57c94fe3ecfe64f61a60e2 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 16549542 192455836f9d3eb042f31a764e26cabf http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 51779230 f6bb62bfefa37428bc974296aefe71af http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 3725888 6f3ce218d453889fe559279eefb04f0c http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 59474 fabb1f94e5f63a0e104c011ac69d48a1 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 204796 a5ecb32106350803a9484be3518d370f http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 74168 827a5b641d4636b9ec0989bc00696f12 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 11578122 8ff9399d2ee8a78a08e92e9df127ba9e http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 53098688 857aa81aa88e57b008d79968ac485be5 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 3681558 801a505ed2047dc3529f2f0892970b12 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 49180 70feb0d4c30be9021fad80326e508d70 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 192564 8cc78754e7b0e1a8f3719ede7b3b5fd9 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb Size/MD5 checksum: 58626 4a17a19e3566abd93b03c42d57e11373 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 11357332 f2ce1e851f2901f347e36c911b34f0bd http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 51668660 52e861adbf9db87800e72fba8927be4a http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 3681328 38cb9f4e2bec05c0d4d87bc0a37c8227 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 49046 a81ede66fa203d422cab4229f41d4acf http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 192066 14bd132627dda77ebd51c35a16ba4177 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 58692 462392c1a31cb10c369113aa8e9ed2b4 PowerPC architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 11802298 e2a2e2a68725e9199bb6577cf1915c2d http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 53275990 28257c9a2f527a42fd13af8d1374b326 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 3676086 8b102b424b32292623e4d6fb58bd22d5 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 49662 671b9ef6d16dad0e5c78fe1179ccfb03 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 192760 3647291657831f9e7521042f45c0a21e http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 60496 e3db6721e38912f876f9d8a659180c98 IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 12828684 668ac711c1a1e799aec0d67cc4c67b98 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 52146038 805635d08025fefeab7d1c25ff635181 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 3679950 02543a6b8725e78b7a5feaa8bf0d9811 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 52698 032c290706967610dcf2f453e58168ac http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 197474 fdafe757e29a035228b975a01245bcaf http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb Size/MD5 checksum: 62246 29e686985a17d0815df3f8ff78673e1a Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 11112636 6db1588af2492a6858b864d7c48ea6cd http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 50625596 d312e6e9c3281a3f6afa2ec8d36a5fac http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 3669498 8fb7f294f0605a6350d1389c2ca0a672 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 48158 99b3bc04292ba6c173f44342e8c75f00 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 190272 d6d20cf4bf48f0d446d14c4df31f70bb http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 58184 d5c1f9f6d261da2eb051e5acecef6818 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHGNMHXm3vHE4uyloRAlPxAKCzC297IIqGthDyHsVppj3ExXcDqACfV7ku qkbOGWZJf7x2q0b1+SGLjJw= =yjIf -----END PGP SIGNATURE-----