lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080328134802.GA22276@galadriel.inutil.org>
Date: Fri, 28 Mar 2008 14:48:02 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1534-1] New iceape packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1534-1                  security@...ian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
March 28, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : iceape
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235
                 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240
                 CVE-2008-1241

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4879

    Peter Brodersen and Alexander Klink discovered that the
    autoselection of SSL client certificates could lead to users
    being tracked, resulting in a loss of privacy.

CVE-2008-1233

    "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
    CVE-2007-5338 allow the execution of arbitrary code through
    XPCNativeWrapper.

CVE-2008-1234

    "moz_bug_r_a4" discovered that insecure handling of event
    handlers could lead to cross-site scripting.

CVE-2008-1235
  
    Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
    that incorrect principal handling can lead to cross-site
    scripting and the execution of arbitrary code.

CVE-2008-1236

    Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
    Palmgren discovered crashes in the layout engine, which might
    allow the execution of arbitrary code.

CVE-2008-1237

    "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary
    code.

CVE-2008-1238

    Gregory Fleischer discovered that HTTP Referrer headers were
    handled incorrectly in combination with URLs containing Basic
    Authentication credentials with empty usernames, resulting
    in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

    Gregory Fleischer discovered that web content fetched through
    the jar: protocol can use Java to connect to arbitrary ports.
    This is only an issue in combination with the non-free Java
    plugin.

CVE-2008-1241

    Chris Thomas discovered that background tabs could generate
    XUL popups overlaying the current tab, resulting in potential
    spoofing attacks.

For the stable distribution (etch), these problems have been fixed in
version 1.0.13~pre080323b-0etch1.

The Mozilla products of the old stable distribution (sarge) are no
longer supported.

We recommend that you upgrade your iceape packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1.dsc
    Size/MD5 checksum:     1439 bbddb3a4298f074ef44d28726cb899a7
  http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1.diff.gz
    Size/MD5 checksum:   270153 f1f5729e8f0ae75037263ce466411f93
  http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b.orig.tar.gz
    Size/MD5 checksum: 42900009 f2a3c50d814f6e7015f779b10494fac8

Architecture independent packages:

  http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27452 67eb8b78d13a177e8060ba1010f3aba5
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    28426 1cfeb741553c331bf3a05d3d615ed45e
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27584 fbc1fd43eda2b6a1e013d6500f2a4251
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27472 07d0092d76d3b0e20b4abdb7bfda5cb9
  http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    28852 bfae5642743dbbec8d2ff16aa33210a2
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27466 593903e4433b310299117247b834b7b6
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:  3928454 ee73849da0e9a4399c5a3e4050a84c6d
  http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27440 fb68ab7bd171309832a5cea94634709d
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27488 281d7a31a496908717da53d533cc92c8
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27488 fab5cb4acfcd6eb254f2d75c260b7f19
  http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:   282162 2801947ecfc25f4e5f442a04f84f748e
  http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080323b-0etch1_all.deb
    Size/MD5 checksum:    27456 11a309344c4747e73c22c241437cbaa5

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum: 12888480 7921f3f3e15968908ed4e5fbd56aab8d
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum:   626308 0053fb055c3ee9d03245374ebd4f0f8e
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum:   198042 22c7d5ffd0b357f79f751a4bd037ff90
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum: 60661454 be0eafd95ec914846264becfce3352f1
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum:    54236 06a465db7cfcd7b822d0fbc3eeb9dbe8
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_alpha.deb
    Size/MD5 checksum:  2283086 90f46111bb978c369b686cf8ac6b7601

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum:  2099810 07b28b205c7eefc3a3877ea97b196e2f
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum: 11691952 177221b9335ee60a5714358026c42415
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum:    53616 77e7d16213280b74557a8e6b382b9a2e
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum:   614092 f2cbc1715ac37d18f88bc4f55f6aaec1
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum:   195316 63ab323bcf8f343375e15e771e81ab0a
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_amd64.deb
    Size/MD5 checksum: 59662720 f39cbc78e542cb0b1cbee1c41bd270a2

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum:    48682 3f6be3fa9e4faf9b33ace249b3cae873
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum:  1891680 7d060689b282d8338075d41e1b74edfa
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum: 10480134 a454aa4169bdc8c33055acc1d1c84e31
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum:   589222 21928b5b2d70379970a3fac0dc6a06e4
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum:   190034 a955b664d5c5a04831bbd0504ce0f661
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_i386.deb
    Size/MD5 checksum: 58740636 520dac74cff1a3ca6f9bfa4dfe20a9a2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum:  2817286 5e9c004f5c549d7f9d97f973d64a1ea0
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum: 59919906 79ff779faed87a05338b396966a9dc4e
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum:    62136 e48897dfff4fb298733ff2a95e1a1087
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum:   662110 f2e7e73357eb4b997aecef7055c3f33f
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum: 15794020 7f278b9e166a936a7910bf3756b14a74
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_ia64.deb
    Size/MD5 checksum:   204956 9995011c479f89d6bc30340f9c12cefa

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum:   599712 25733a7076ffa75701fc5b602ac18109
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum:    50154 509c15bc0ec88ee22fdd6f808a7a28cc
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum:  1959486 7c51ab276c725e6973fc7184c99384b2
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum: 11157502 d6a4e81674b7a779d55beda2eadec238
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum: 61513330 70f6d19279890154f0fce90f55ba205f
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_mips.deb
    Size/MD5 checksum:   191252 86cbc31711645f2fc0c8c9dbebcb750f

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum:   191486 4c713676077a8ed9757d4ba26ec6dda0
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum: 10910618 39f5b0ba8e2820b9d4e04423c39afe23
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum:   596164 cf1651c09d984cf9748eed698d28f4d1
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum:    49998 6859bf75d6d84d40f52fab864dfc0c86
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum: 59864430 875cb3f035a468c7a798baeb43aeae56
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_mipsel.deb
    Size/MD5 checksum:  1942462 d8b585c728d1c3c79794340ab36f149d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum:  2006632 cb5d4644f988da299d5d2981d65624e3
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum:   596412 20b7d022fc264028ff3bd98f0880c0a8
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum:   192266 ccc58d21f227b6f76418a02dae9ee465
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum: 61653568 4573fd2de80ddb97b43e59b43c03c21b
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum:    49458 6ab4067f7480066a0ba9dafb50c10634
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_powerpc.deb
    Size/MD5 checksum: 11310320 2583312ad8822789d7e1331168ba85be

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum: 60408236 61255bd3e79604b8a7e969001328f838
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum: 12287744 9d77ab82ad6113e433f7326ad356780f
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum:   197132 f93d1c741a8a63303fc89ae76aeaa869
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum:   611904 6a7bdbee38806943338ad71a5eb4bdc0
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum:    54206 0a4ed8eb13c620548650bd3cd92f1637
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_s390.deb
    Size/MD5 checksum:  2186016 fcfd0fd599884e1415f03ddbc29bb3ae

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum:   189920 534d2f5cc56549b87576e038114466c4
  http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum:    48260 c9be9a7854ea7876c89048f0cc0b0a00
  http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum: 58546302 19a562c621f0347ec994a95e51244014
  http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum:   585528 78f5742b546957c8e2b405186cb6e202
  http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum:  1896246 b21c759518c193e4bc8956d96fa5e9af
  http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_sparc.deb
    Size/MD5 checksum: 10659660 d2c72f953bcdd7a11f62a0adaa91246e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7PbnXm3vHE4uyloRAgv3AKDUX+1yyt5Ttta/jfAiRRV4a/QRkgCeIVoK
b0KfmKUsg51hOvdRMUJHGXo=
=vpbk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ