Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0774
icedove security update
15 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: icedove
Publisher: Debian
Operating System: Debian GNU/Linux 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1967 CVE-2012-1954 CVE-2012-1950
CVE-2012-1948
Reference: ESB-2012.0686
Original Bulletin:
http://www.debian.org/security/2012/dsa-2528
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2528-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
August 14, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1948 CVE-2012-1950 CVE-2012-1954 CVE-2012-1967
Several vulnerabilities were discovered in Icedove, Debian's version
of the Mozilla Thunderbird mail and news client.
CVE-2012-1948
Multiple unspecified vulnerabilities in the browser engine
were fixed.
CVE-2012-1950
The underlying browser engine allows address bar spoofing
through drag-and-drop.
CVE-2012-1954
A use-after-free vulnerability in the nsDocument::AdoptNode
function allows remote attackers to cause a denial of service
(heap memory corruption) or possibly execute arbitrary code.
CVE-2012-1967
An error in the implementation of the Javascript sandbox
allows execution of Javascript code with improper privileges
using javascript: URLs.
For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze12.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 10.0.6-1.
We recommend that you upgrade your icedove packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQKqbqAAoJEL97/wQC1SS+IQcIAJ0R0R+4/gPgPwcco+U81PUr
uehr4v0uAiSMuwXqC9NwR1l27AmmT/0S6fqRY7YB1hFxg6IeZPx73594yQsFsqAx
6kHFwfO/YIBLh9HFgQWwCwpl5OJ3VNiST87loMSiPgr57TXpNMGHNRU5MEGomrc4
wX0dpAJgnaI1dLMZn17fguf1ejzXJ6zcejNMpNJEFNbR/10Qi5lpWeE0n8RhfsyQ
9X0RSHGKypXz3hLpio9zuuKoUOvP/8hJ2/S61vqGBh1aOP3JjNdg5rUWVpXS/Szv
2EtOBWWK7zazwrgvaOywYv9Ju52X8B64jYLwtMaBpMVdfJX4WbbtsXt5ZGWzza0=
=tukJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUCsmAe4yVqjM2NGpAQJuGBAAhPSrY8ys6NgBcsAy/MFTJ3OQHOXv4Bbz
lCef5iccbpz8yhWSUuKLAtINRFrmnXV2ShDwL79AO8UADkNWDcwt8m8MsBNA/ND9
jL1o+mPmt1aZjQ6lCXQRqadopLAt8gAW02fe0go0PsSxf2s6wnyiuu/XoRFIRcF3
X7fJDCYvU5FfBK1766cBAygfOI/tRdhdLAV1dlOULpU3w90b4xMo6+JnKV7XHL6F
X6mmogwpX2WcDsxlcX+0mdy8Os7fgtcIvHhGcNfNmDB4cRmWyTPu4fPhvmcm/8Xh
TH0Fb2EjfIqAneM6Fe2nlgfggm6apeupPXx7r5UYa8r5Ly5imuNzH3w5E05xVCQO
8C6Hw9EORCWNPGgZOVmwUBSCGmEyf7K92q2jtguOITDg8JHO9CQbJqxcNpYgbfk7
IsFrtLnKVAV13pIy4ga5F7ZE2yH024kNTwDOYdmCqZ8jDtAPNXelW6qfuabHWKfr
aTLhrfVS11vY/j++gjMh2OiWROmLivQAP8zJeuZajtGylnSrq6fknh4BfK7Bn/Ye
dp5IcNF1X83xvCoiKTJ+bsoiTiJzZm6Dn96No8TCS3VNbtRDnnsg50c6jsHZDOIp
gN2114qrU6xd1AY4bGHKeNwZH4g19Rvt8HCCEMouznXwksjyErcS1sgfMkY3H3mV
Rzxuj6uffws=
=5P8x
-----END PGP SIGNATURE-----