lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070613173411.GA3629@galadriel.inutil.org>
Date: Wed, 13 Jun 2007 19:34:11 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1305-1] New icedove packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1305-1                    security@...ian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
June 13th, 2007                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-1558 CVE-2007-2867 CVE-2007-2868

Several remote vulnerabilities have been discovered in the Icedove mail client,
an unbranded version of the Thunderbird client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-1558

    Gatan Leurent discovered a cryptographical weakness in APOP
    authentication, which reduces the required efforts for an MITM attack
    to intercept a password. The update enforces stricter validation, which
    prevents this attack.

CVE-2007-2867
 
    Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn
    Wargers and Olli Pettay discovered crashes in the layout engine, which
    might allow the execution of arbitrary code.

CVE-2007-2868

    Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir Palant
    discovered crashes in the Javascript engine, which might allow the execution of
    arbitrary code. Generally, enabling Javascript in Icedove is not recommended.

Fixes for the oldstable distribution (sarge) are not available. While there
will be another round of security updates for Mozilla products, Debian doesn't
have the ressources to backport further security fixes to the old Mozilla
products. You're strongly encouraged to upgrade to stable as soon as possible.

For the stable distribution (etch) these problems have been fixed in version
1.5.0.12.dfsg1-0etch1.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your icedove packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.dsc
      Size/MD5 checksum:     1904 782de141f4201acfdb3f64649e8633c1
    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.diff.gz
      Size/MD5 checksum:   638452 0b382503b7932c6a125a539ad36a9b56
    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1.orig.tar.gz
      Size/MD5 checksum: 33092818 246c0b87e4bd5b5f81df9bc4ad51f918

  Architecture independent components:

    http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28294 f99aeeb33759ba7db937725c1257dc3c
    http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28304 f89eb9a9aaa76fb692f870e4865947ab
    http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28308 0fe7b986606e09ccbc06d35b41c22061
    http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28286 3c896128dee950a2a718d21e0e839e62
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28276 eed67c8b54582ca5bfec91b72c52a232
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28278 1959e478ec9c1a77619b01873ff822f6
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28300 959ee006281d442ce95ef229641ce827
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28290 5ecf563aca0d85c16e197c222100995b
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28306 c4d49ed78de21cb6112f38d189b93bc6
    http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.12.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28264 f951d0f14dd81bf7684d8129814f1a68

  Alpha architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum: 13441302 9e9c3111c0bae2d3b951d2d5a242a9f4
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum: 52274362 fc61f6dd4176c30e40ce7d1c240b2d04
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:  3904592 506da6d9493a19303806e4e4599d245e
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:    51900 718719afe0bc423d1353efa0aaccaf18
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:   200108 3391daf25055064eb6764c290515a593
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:    64016 8f71e349f0776572f1b47a0430c293ee

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum: 12139602 c6589e27cfac81ddad462cfcc5dd1a20
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum: 51380120 b958a63e854cca7a442ee0207206bfd3
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:  3625224 099909dc279e37cbfabba5b165b31f88
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:    51780 8d98858fe2412be2d3d3b3b2efb20f48
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:   195302 5dd2cea99bb81707d2fb3eb437b522f7
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:    60724 24d81815f6ade2ca9e5505bb2be1a1dc

  ARM architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum: 10829726 11a5ea81b564b5b2a66d666a94448da1
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum: 50725554 f3f0d6ef0eaa89c94998033cd909298f
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:  3621960 dbef27a6cbcff0fb0a3b1b71ab38b12d
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:    47306 b66e3e1280ad688ff19c846dba1d3e79
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:   189468 56ba9915760e9e1d7b3e67ebf8080e9f
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:    58506 6ea7bef2259e0bcd5e5e2e90289bda7e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum: 13567948 0c42a2559ba36becc3280ed6e4847b39
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum: 52188544 61673b2091252f8941434c39dd533849
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum:  3633974 6dcd7d0f6ebacd6963adca1c8d67f3a3
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum:    53128 3ebf0f6649342d5d0eed34da1b8f8b66
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum:   198222 888abaea2f5d82483409fb0559ab39f8
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_hppa.deb
      Size/MD5 checksum:    64392 889538b4f36141d736e6bd8255335265

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum: 10876072 4798da0589b3eda451189f4ee837daa6
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum: 50636714 7cf5cf91aa41e12962a9b54cfcbc1f95
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:  3619896 8b82595f5dd7722df603604522e8fe77
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:    47684 442980b3b4af19981d3cefeab4c7be16
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:   190362 aeebbabe4cd629c53e0b4457909672c5
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:    57716 8a4994ffe091c7856528272c7819677e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum: 16500728 09d49b0442fd424b4aed1b19cf03c17f
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum: 51672952 ca7a8a748836b8c7e18f5477fa0ccbd4
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:  3674838 4c056de3d838a4b6fd798534134fda83
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:    59168 88f4bd4ab03c5114cf877b20d256b136
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:   204384 f81bf3f095059110035b527083d21513
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:    73782 0e0446628f65f1971d610f8ea5eb55a8

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum: 11547504 cb91bfc37e93e7ad7758d8bc88f1ea3b
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum: 53010312 c000535f52bf6cf0882c24ffb1aa8f99
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:  3629758 404d00290b34e0dccbe535486d15d2ef
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:    48860 beeb138cb257900367f1a3515663a9bb
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:   192122 51ba670ff72d85f5d268e76938ef3e1a
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:    58236 48a92291ff311b4baaa5127ed05fabd2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum: 11324984 054ea1a49b85b8ef1c96378a7e374d0d
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum: 51571486 a8f34224277f5c1ae2a0f61b70d02593
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:  3629510 2e916487ac92b5fcf526448f059ba705
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:    48698 21fa0e18cf48698b639a42a118f069c4
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:   191618 0ea2fb530662a75f87c4900eed37e580
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:    58298 7dbf75a88f7a731046b6e030f39fcb2e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum: 11771646 28848cf3b4daa66182ea2e6b3cc9f923
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum: 53187512 5c06f5751cf333896cefd8cd716d6ee0
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:  3625032 e8da32f365cb833338a5f02ef1bd3854
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:    49320 a51244d6bcad918b35045910efd3ee41
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:   192360 22505d425d81e8c9cfc080e28385bf17
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:    60046 f5537d555c091d6b21ed376cb285d618

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum: 12798692 f6c0fdd711173ad917b5ad6a519c39ef
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum: 52048216 a1b5a704d041b321d381192cc36ec16b
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:  3628374 004598a21c81cd2d7c246eae41f8083a
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:    52374 ef69f9ba492cc13cb34e7e5ffba9ffd6
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:   197070 0910dede4859dc42492de82b278af585
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:    61830 4c3b615eeda0bd9ce6563a9c147047c7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum: 11083210 15ca31506f5fc73c238fec8c744db051
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum: 50536416 5da4451d0af12a06d57de7910393b93e
    http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:  3618046 3e22307aa970e88dc69f9e459ee8993e
    http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:    47856 81b806db6c0fe39763603af6758bc76d
    http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:   189880 bf1d05dfd15fbb91a5f4aa369f3802f1
    http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:    57790 cb8c6d9edd31af176b32dfcf5a6a88a5

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGcCpNXm3vHE4uyloRAly4AJ98IF87LBnkxez/YsOp13kH0mTESwCfZqIk
X6BZRBrnMJzMDbQK9rdXoec=
=rmeM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ