DSA 1534-1: New iceape packages fix several vulnerabilities
Posted on: 03/28/2008 04:10 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1534-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 28, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235
CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240
CVE-2008-1241

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4879

Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.

CVE-2008-1233

"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.

CVE-2008-1234

"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.

CVE-2008-1235

Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
scripting and the execution of arbitrary code.

CVE-2008-1236

Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.

CVE-2008-1237

"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.

CVE-2008-1238

Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.

CVE-2008-1241

Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.

For the stable distribution (etch), these problems have been fixed in
version 1.0.13~pre080323b-0etch1.

The Mozilla products of the old stable distribution (sarge) are no
longer supported.

We recommend that you upgrade your iceape packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1.dsc
Size/MD5 checksum: 1439 bbddb3a4298f074ef44d28726cb899a7
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1.diff.gz
Size/MD5 checksum: 270153 f1f5729e8f0ae75037263ce466411f93
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b.orig.tar.gz
Size/MD5 checksum: 42900009 f2a3c50d814f6e7015f779b10494fac8

Architecture independent packages:

http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27452 67eb8b78d13a177e8060ba1010f3aba5
http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 28426 1cfeb741553c331bf3a05d3d615ed45e
http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27584 fbc1fd43eda2b6a1e013d6500f2a4251
http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27472 07d0092d76d3b0e20b4abdb7bfda5cb9
http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 28852 bfae5642743dbbec8d2ff16aa33210a2
http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27466 593903e4433b310299117247b834b7b6
http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 3928454 ee73849da0e9a4399c5a3e4050a84c6d
http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27440 fb68ab7bd171309832a5cea94634709d
http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27488 281d7a31a496908717da53d533cc92c8
http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27488 fab5cb4acfcd6eb254f2d75c260b7f19
http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 282162 2801947ecfc25f4e5f442a04f84f748e
http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080323b-0etch1_all.deb
Size/MD5 checksum: 27456 11a309344c4747e73c22c241437cbaa5

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 12888480 7921f3f3e15968908ed4e5fbd56aab8d
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 626308 0053fb055c3ee9d03245374ebd4f0f8e
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 198042 22c7d5ffd0b357f79f751a4bd037ff90
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 60661454 be0eafd95ec914846264becfce3352f1
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 54236 06a465db7cfcd7b822d0fbc3eeb9dbe8
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_alpha.deb
Size/MD5 checksum: 2283086 90f46111bb978c369b686cf8ac6b7601

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 2099810 07b28b205c7eefc3a3877ea97b196e2f
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 11691952 177221b9335ee60a5714358026c42415
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 53616 77e7d16213280b74557a8e6b382b9a2e
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 614092 f2cbc1715ac37d18f88bc4f55f6aaec1
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 195316 63ab323bcf8f343375e15e771e81ab0a
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_amd64.deb
Size/MD5 checksum: 59662720 f39cbc78e542cb0b1cbee1c41bd270a2

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 48682 3f6be3fa9e4faf9b33ace249b3cae873
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 1891680 7d060689b282d8338075d41e1b74edfa
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 10480134 a454aa4169bdc8c33055acc1d1c84e31
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 589222 21928b5b2d70379970a3fac0dc6a06e4
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 190034 a955b664d5c5a04831bbd0504ce0f661
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_i386.deb
Size/MD5 checksum: 58740636 520dac74cff1a3ca6f9bfa4dfe20a9a2

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 2817286 5e9c004f5c549d7f9d97f973d64a1ea0
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 59919906 79ff779faed87a05338b396966a9dc4e
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 62136 e48897dfff4fb298733ff2a95e1a1087
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 662110 f2e7e73357eb4b997aecef7055c3f33f
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 15794020 7f278b9e166a936a7910bf3756b14a74
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_ia64.deb
Size/MD5 checksum: 204956 9995011c479f89d6bc30340f9c12cefa

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 599712 25733a7076ffa75701fc5b602ac18109
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 50154 509c15bc0ec88ee22fdd6f808a7a28cc
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 1959486 7c51ab276c725e6973fc7184c99384b2
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 11157502 d6a4e81674b7a779d55beda2eadec238
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 61513330 70f6d19279890154f0fce90f55ba205f
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_mips.deb
Size/MD5 checksum: 191252 86cbc31711645f2fc0c8c9dbebcb750f

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 191486 4c713676077a8ed9757d4ba26ec6dda0
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 10910618 39f5b0ba8e2820b9d4e04423c39afe23
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 596164 cf1651c09d984cf9748eed698d28f4d1
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 49998 6859bf75d6d84d40f52fab864dfc0c86
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 59864430 875cb3f035a468c7a798baeb43aeae56
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_mipsel.deb
Size/MD5 checksum: 1942462 d8b585c728d1c3c79794340ab36f149d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 2006632 cb5d4644f988da299d5d2981d65624e3
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 596412 20b7d022fc264028ff3bd98f0880c0a8
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 192266 ccc58d21f227b6f76418a02dae9ee465
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 61653568 4573fd2de80ddb97b43e59b43c03c21b
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 49458 6ab4067f7480066a0ba9dafb50c10634
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_powerpc.deb
Size/MD5 checksum: 11310320 2583312ad8822789d7e1331168ba85be

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 60408236 61255bd3e79604b8a7e969001328f838
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 12287744 9d77ab82ad6113e433f7326ad356780f
http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 197132 f93d1c741a8a63303fc89ae76aeaa869
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 611904 6a7bdbee38806943338ad71a5eb4bdc0
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 54206 0a4ed8eb13c620548650bd3cd92f1637
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_s390.deb
Size/MD5 checksum: 2186016 fcfd0fd599884e1415f03ddbc29bb3ae

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 189920 534d2f5cc56549b87576e038114466c4
http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 48260 c9be9a7854ea7876c89048f0cc0b0a00
http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 58546302 19a562c621f0347ec994a95e51244014
http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 585528 78f5742b546957c8e2b405186cb6e202
http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 1896246 b21c759518c193e4bc8956d96fa5e9af
http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch1_sparc.deb
Size/MD5 checksum: 10659660 d2c72f953bcdd7a11f62a0adaa91246e


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7PbnXm3vHE4uyloRAgv3AKDUX+1yyt5Ttta/jfAiRRV4a/QRkgCeIVoK
b0KfmKUsg51hOvdRMUJHGXo=
=vpbk
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1534_1_new_iceape_packages_fix_several_vulnerabilities.html)