Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0774 icedove security update 15 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: icedove Publisher: Debian Operating System: Debian GNU/Linux 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-1967 CVE-2012-1954 CVE-2012-1950 CVE-2012-1948 Reference: ESB-2012.0686 Original Bulletin: http://www.debian.org/security/2012/dsa-2528 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2528-1 security@debian.org http://www.debian.org/security/ Florian Weimer August 14, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1948 CVE-2012-1950 CVE-2012-1954 CVE-2012-1967 Several vulnerabilities were discovered in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. CVE-2012-1948 Multiple unspecified vulnerabilities in the browser engine were fixed. CVE-2012-1950 The underlying browser engine allows address bar spoofing through drag-and-drop. CVE-2012-1954 A use-after-free vulnerability in the nsDocument::AdoptNode function allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code. CVE-2012-1967 An error in the implementation of the Javascript sandbox allows execution of Javascript code with improper privileges using javascript: URLs. For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze12. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 10.0.6-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQKqbqAAoJEL97/wQC1SS+IQcIAJ0R0R+4/gPgPwcco+U81PUr uehr4v0uAiSMuwXqC9NwR1l27AmmT/0S6fqRY7YB1hFxg6IeZPx73594yQsFsqAx 6kHFwfO/YIBLh9HFgQWwCwpl5OJ3VNiST87loMSiPgr57TXpNMGHNRU5MEGomrc4 wX0dpAJgnaI1dLMZn17fguf1ejzXJ6zcejNMpNJEFNbR/10Qi5lpWeE0n8RhfsyQ 9X0RSHGKypXz3hLpio9zuuKoUOvP/8hJ2/S61vqGBh1aOP3JjNdg5rUWVpXS/Szv 2EtOBWWK7zazwrgvaOywYv9Ju52X8B64jYLwtMaBpMVdfJX4WbbtsXt5ZGWzza0= =tukJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUCsmAe4yVqjM2NGpAQJuGBAAhPSrY8ys6NgBcsAy/MFTJ3OQHOXv4Bbz lCef5iccbpz8yhWSUuKLAtINRFrmnXV2ShDwL79AO8UADkNWDcwt8m8MsBNA/ND9 jL1o+mPmt1aZjQ6lCXQRqadopLAt8gAW02fe0go0PsSxf2s6wnyiuu/XoRFIRcF3 X7fJDCYvU5FfBK1766cBAygfOI/tRdhdLAV1dlOULpU3w90b4xMo6+JnKV7XHL6F X6mmogwpX2WcDsxlcX+0mdy8Os7fgtcIvHhGcNfNmDB4cRmWyTPu4fPhvmcm/8Xh TH0Fb2EjfIqAneM6Fe2nlgfggm6apeupPXx7r5UYa8r5Ly5imuNzH3w5E05xVCQO 8C6Hw9EORCWNPGgZOVmwUBSCGmEyf7K92q2jtguOITDg8JHO9CQbJqxcNpYgbfk7 IsFrtLnKVAV13pIy4ga5F7ZE2yH024kNTwDOYdmCqZ8jDtAPNXelW6qfuabHWKfr aTLhrfVS11vY/j++gjMh2OiWROmLivQAP8zJeuZajtGylnSrq6fknh4BfK7Bn/Ye dp5IcNF1X83xvCoiKTJ+bsoiTiJzZm6Dn96No8TCS3VNbtRDnnsg50c6jsHZDOIp gN2114qrU6xd1AY4bGHKeNwZH4g19Rvt8HCCEMouznXwksjyErcS1sgfMkY3H3mV Rzxuj6uffws= =5P8x -----END PGP SIGNATURE-----