-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1534-2 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 24, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : iceape Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 A regression in mailnews handling has been fixed. For reference the original advisory text below: Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-4879 Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. CVE-2008-1233 "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. CVE-2008-1234 "moz_bug_r_a4" discovered that insecure handling of event handlers could lead to cross-site scripting. CVE-2008-1235 Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered that incorrect principal handling can lead to cross-site scripting and the execution of arbitrary code. CVE-2008-1236 Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2008-1237 "georgi", "tgirmann" and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2008-1238 Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. CVE-2008-1240 Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. CVE-2008-1241 Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. For the stable distribution (etch), these problems have been fixed in version 1.0.13~pre080323b-0etch2. We recommend that you upgrade your iceape packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2.diff.gz Size/MD5 checksum: 270431 fc94cccf043f45b5bd2f1ea2d6b9b225 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2.dsc Size/MD5 checksum: 1439 3a1c421b0d61223760b7724dcf7ff6d9 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b.orig.tar.gz Size/MD5 checksum: 42900009 f2a3c50d814f6e7015f779b10494fac8 Architecture independent packages: http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 28532 87c74c4e89522054101318d3a6aaaef9 http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27594 5795424a813f6d765400d27852161904 http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27568 7b63ae9c6c56a43ae9db63e2f4c0ff85 http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27576 a3cb70fb2e4811959f447c35effd3dcc http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 3928614 14cc24bbe9b509d69db0a20ccc1de079 http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27558 bde53046463a722d1831cb45a59bb3cf http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27560 62b1ef313aa14596c934a8121eb412c2 http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 282312 6df637681e0a66b1bf68833b347b2124 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 28966 549dc26dd898c58013aeb624098d5db1 http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27582 9c5919265f60ed5ba60075bc9b5102dc http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27596 9aa97c6c5f94155ec3e8d36c2414fd1d http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080323b-0etch2_all.deb Size/MD5 checksum: 27694 c2a812caa94a72724bb98ec8cfc93249 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 12886108 2d9a38d95503842a3832aed859f0f80a http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 2281642 791f3a80ebdb173c2f9d0ff152f976c9 http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 627482 5729fa2e2f72dfa803e37a99b461417b http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 54972 11524f4ed3875809260eac9a6c0325a0 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 60658744 e56cb39f56de70aaf7a201b0e13d309a http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_alpha.deb Size/MD5 checksum: 199028 8d154e497acf9e7796390f2b1c1501dd amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 59663026 37829add13c621e391eb2c6c9e047ca7 http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 2099876 895840b306a190900c44dc4088961c50 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 11692150 69a227342b3e5d563a716149eadfc7ca http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 53740 d716f72d98622c3c97a679705426c2d5 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 195436 c5838a1fcb25f0588abed9da193c06ce http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_amd64.deb Size/MD5 checksum: 614236 0483f95d4be4d1a5b359a3864bc466f4 arm architecture (ARM) http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 586622 65a7a73dc018e2c1c77c26a412510e7d http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 58798986 33ad7943133f5f00672dcdeaa245f057 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 10426214 24dbab44f5ab57bccd1a0bfbb0f17680 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 187090 57015ccb41fa214c46cd79b696d14198 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 47796 e0c6b965e643018af3abb27d41a01c38 http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_arm.deb Size/MD5 checksum: 1916922 36584dddf43f46a70412fe794991d07e hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 55158 0f80d4449589b0b77c8ef469ed9c2102 http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 619606 4ac9462c322063202406f20eb08b6adb http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 198562 7dcaaf89e91e427acefa886275f2606c http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 12991842 40dbc4f08611a986d30c358b4c442cab http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 2349778 0400cc18d7078e6a5c9d675cc5ec935d http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_hppa.deb Size/MD5 checksum: 60520824 a501cd292183eb7a909cdc481302cc9d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 1891942 8b55f7fffc8dda99a78c8deb587b3601 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 48796 920f9ba79b92a527149a3f8e3ca9e80f http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 58740626 87ac20b038ce496fe0dec8fc78f8fb66 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 190146 7d2da0e3a0a4291f5a78da36e4d91758 http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 589368 c07d98219b6c237b4ecdc8cc24dde349 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_i386.deb Size/MD5 checksum: 10480450 b302009b8337411c5b1cc59a394249a9 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 62286 ae7ef14b5c6bc27032715154c3b830d1 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 205078 7ffa6a5b770b336fe224c9c659e22236 http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 2817294 c1330dea34afd59505ba68496dfc9de0 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 59920064 1e9f504516f7e024e3aa7df03b7859c4 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 15794360 5a0009de6fe96fd8745b6d1da4f57512 http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_ia64.deb Size/MD5 checksum: 662296 a147dba65a655f2ffc4bc2dba80d062a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 11157426 2894d4aa411f541d24321e7cfc8c40dc http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 1959586 8245d1d89e210dc64822059177c60935 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 191382 993aa97774959191af28842e469ee122 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 50272 71182383f85762af687451ac3ef38824 http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 599816 32d92af3b4068d460b27aea4a2941ef5 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_mips.deb Size/MD5 checksum: 61513408 ddaa38162de39210cf0372b66d277afd mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 10910758 dc4b71d0b3b3877411f1d6434152ae60 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 191610 9829f7d8bf6d3057b575f44f2e42d7ba http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 596352 1fbd24b1af0f0a8f09fa6caabd05f9d1 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 50114 5321e20192aba965da843116d5198a81 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 59864402 a591a34d73e69d6f8ba4985f7398cb60 http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_mipsel.deb Size/MD5 checksum: 1942674 7e8584f9c790ab330d760e0589a8a657 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 596578 8ca91ddc369b7c2ef83d0cd1596cd644 http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 192394 87211ca1331a30d20a2c899ce647cfc2 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 49580 f483e34bfbe4f072ba48fe4467c6d9eb http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 2006802 cd1f36cb35b56996ed18ccc2bce77769 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 61653704 d6a8402134109d8aa8d086f5a014e180 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_powerpc.deb Size/MD5 checksum: 11310660 d7775c0b98494daec085df09bdbc87c8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 197250 556af0df979862515c7a58f9b823cec7 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 54332 ef3f1234a167fa3056075501d4ab7ccb http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 612090 5b6a56753f5a39caa9336a9dd5e6f67c http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 2186154 c106802c2fbf29e99beb440ade898d06 http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 60408796 7169c59d6b3ea8758e6ca752a44b537d http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_s390.deb Size/MD5 checksum: 12288118 e54834b616bba85af29add06b7c18be7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 585692 caea96e57a9283b7978ad15fcc6a378c http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 1896400 609528b7ee5eb3ca761853daf8a5f619 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 10659906 27159c6c7c281cbf50e8b6f8bcb9164a http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 58546410 4d394093ea9de39766982f3047fd3f9b http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 190044 f0a2981d7f48f1c8e3cec1fb9b9ec6ed http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch2_sparc.deb Size/MD5 checksum: 48396 ad3f586fd1c9f3239fa1a587fcc1603e These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIEPUuXm3vHE4uyloRAn/NAJ4m6N2wWgtvotnez1lFkx9c5xVanwCeI2Jr +wpqOPXsRIidIZmukYfs3Y8= =Gtpv -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/