Debian: New iceweasel packages fix several vulnerabilities

    Date11 Jul 2008
    CategoryDebian
    4534
    Posted ByLinuxSecurity Advisories
    Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1607-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                       Moritz Muehlenhoff
    July 11, 2008                         http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : iceweasel
    Vulnerability  : several
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811
    
    Several remote vulnerabilities have been discovered in the Iceweasel
    webbrowser, an unbranded version of the Firefox browser. The Common 
    Vulnerabilities and Exposures project identifies the following problems:
    
    CVE-2008-2798
    
        Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
        crashes in the layout engine, which might allow the execution of
        arbitrary code.
    
    CVE-2008-2799
    
        Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
        the Javascript engine, which might allow the execution of arbitrary code.
    
    CVE-2008-2800
    
        "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.
    
    CVE-2008-2801
    
        Collin Jackson and Adam Barth discovered that Javascript code
        could be executed in the context or signed JAR archives.
    
    CVE-2008-2802
    
        "moz_bug_r_a4" discovered that XUL documements can escalate
        privileges by accessing the pre-compiled "fastload" file.
    
    CVE-2008-2803
    
        "moz_bug_r_a4" discovered that missing input sanitising in the
        mozIJSSubScriptLoader.loadSubScript() function could lead to the
        execution of arbitrary code. Iceweasel itself is not affected, but
        some addons are.
    
    CVE-2008-2805
    
        Claudio Santambrogio discovered that missing access validation in
        DOM parsing allows malicious web sites to force the browser to
        upload local files to the server, which could lead to information
        disclosure.
    
    CVE-2008-2807
    
        Daniel Glazman discovered that a programming error in the code for
        parsing .properties files could lead to memory content being
        exposed to addons, which could lead to information disclosure.
    
    CVE-2008-2808
    
        Masahiro Yamada discovered that file URLS in directory listings
        were insufficiently escaped.
    
    CVE-2008-2809
    
        John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
        alternate names on self-signed certificates were handled
        insufficiently, which could lead to spoofings secure connections.
    
    CVE-2008-2811
    
        Greg McManus discovered discovered a crash in the block reflow
        code, which might allow the execution of arbitrary code.
    
    
    For the stable distribution (etch), these problems have been fixed in
    version 2.0.0.15-0etch1.
    
    Iceweasel from the unstable distribution (sid) links dynamically
    against the xulrunner library.
    
    We recommend that you upgrade your iceweasel package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15.orig.tar.gz
        Size/MD5 checksum: 47244449 4fb7fdf128d5c8ce5e880510e58f5cfa
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1.dsc
        Size/MD5 checksum:     1289 f29a9bb4fd9f71d203de489050e1f5f5
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1.diff.gz
        Size/MD5 checksum:   186551 355acbaea7631bbfa0a1013902a7c82a
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    55052 f166a298b2e71f4e478c01dc99e9601f
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:   239592 281c8418a4d86ab976acf4fd65033606
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    54520 283777c2a1be7e90d85e7f900c085f40
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    54262 06e72fcbbe44c5d4125137786dfb8011
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    54260 cb6f4ccf969394a3f5b650fb0f8de834
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    54376 fe9ef4ef5de1b277d8a532aeaaaf5581
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.15-0etch1_all.deb
        Size/MD5 checksum:    54412 2728ff70a7e5051d7dc5bb424ca17a79
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_amd64.deb
        Size/MD5 checksum: 50156300 9ab61c77c9b1bb6af19448d2300b3277
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_amd64.deb
        Size/MD5 checksum:    87772 a3c3f310edeba4b18dfbb8880c8d76f9
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_amd64.deb
        Size/MD5 checksum: 10202026 6017a343bcee74e5922218b25b00a9d9
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_hppa.deb
        Size/MD5 checksum: 50526254 29a44a85fd87708cc9c1f8a4bb10f346
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_hppa.deb
        Size/MD5 checksum: 11108034 8e9c155e5a4128bed37260c0ad7a0c1b
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_hppa.deb
        Size/MD5 checksum:    89312 1a2507f73581e80103806bda8c673abd
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_i386.deb
        Size/MD5 checksum: 49553216 2f70c9f1fb5306d9f937613b3cc84cda
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_i386.deb
        Size/MD5 checksum:    81902 34948a1ed1b8558e0804860914cd0c72
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_i386.deb
        Size/MD5 checksum:  9117184 f77fc0ad893338c987f206101facd9f0
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_ia64.deb
        Size/MD5 checksum: 14150826 de782a5715826236aacf2311f43ef949
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_ia64.deb
        Size/MD5 checksum: 50499040 fe8b0f690dd078d0997b27ba36a0e510
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_ia64.deb
        Size/MD5 checksum:   100112 ab756247dd84e77695ff6b4dfab96cd3
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_mips.deb
        Size/MD5 checksum: 11058248 30d13ac857eddbbeeb6d19fc2a4f9b75
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_mips.deb
        Size/MD5 checksum:    83040 07fc599646c9d80e43fe84e4509d34b7
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_mips.deb
        Size/MD5 checksum: 53950398 74967273393c4b168c101eae383577ff
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_mipsel.deb
        Size/MD5 checksum: 52499994 9c02fbe217402e9c00ef01fa103dc43d
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_mipsel.deb
        Size/MD5 checksum: 10759554 cd00c8429e986dc2399c60cd8c131b2a
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_mipsel.deb
        Size/MD5 checksum:    83054 66561cb487daf2a9df80c8c1722fcce1
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_powerpc.deb
        Size/MD5 checksum:  9935232 0d405869b71246057614dc440c2c685c
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_powerpc.deb
        Size/MD5 checksum:    83630 46e7175e4b0e1bf27a5254c7bc332eaa
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_powerpc.deb
        Size/MD5 checksum: 51949586 589452bc8022d7947522d4e596f6388a
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_s390.deb
        Size/MD5 checksum:    88034 a29c5e9842d6704818cce57a3cb53d1e
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_s390.deb
        Size/MD5 checksum: 50828486 9f956f6e6a3a40ea666dc3b9bb4888db
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_s390.deb
        Size/MD5 checksum: 10359442 86e9bac75060c34d0c42826e38b0e6ae
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.15-0etch1_sparc.deb
        Size/MD5 checksum:    81748 6fc2cc53b1d64b48b24ab8b81c9027a4
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.15-0etch1_sparc.deb
        Size/MD5 checksum: 49164610 e334feea6dd3c72cc2a49af2b3e25e33
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.15-0etch1_sparc.deb
        Size/MD5 checksum:  9138482 2a301be276e18b5605454682b37ddefd
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.