Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1156
iceweasel security update
10 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iceweasel
iceape
Publisher: Debian
Operating System: Debian GNU/Linux 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5842 CVE-2012-5829 CVE-2012-4216
CVE-2012-4207 CVE-2012-4201
Reference: ASB-2012.0162
Original Bulletin:
http://www.debian.org/security/2012/dsa-2583
http://www.debian.org/security/2012/dsa-2584
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2583-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
December 08, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Debian Bug :
Multiple vulnerabilities have been found in Iceweasel, the Debian web browser
based on Mozilla Firefox:
CVE-2012-5829
Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
allow remote attackers to execute arbitrary code.
CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could allow remote
attackers to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code.
CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle a ~
(tilde) character in proximity to a chunk delimiter, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via a crafted
document.
CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during the
handling of JavaScript code that sets the location.href property, which
allows remote attackers to conduct cross-site scripting (XSS) attacks or read
arbitrary files by leveraging a sandboxed add-on.
CVE-2012-4216
Use-after-free vulnerability in the gfxFont::GetFontEntry function allows
remote attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via unspecified vectors.
For the stable distribution (squeeze), these problems have been fixed in
version 3.5.16-20.
For the testing distribution (wheezy), these problems have been fixed in
version 10.0.11esr-1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.11esr-1.
We recommend that you upgrade your iceweasel packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJQwy0CAAoJEG3bU/KmdcClrKYH/2/0FoI6R7xGT0gzjgVj3FwA
7vi8PwbR6tKqu8laFe85fxUanr7Y4wfuSD9buZYMFIKv9WJZVjYVGhly9x7SnV5d
dcR20d3ggu9nOQsN6G/J5IsYHBEnaJwMG1/q15+VYlLXPhESX1qW3yZ08FhZJFm6
7hpWYRsqK2mL6DHbBvV49e5bnNrYMO9udYoWgc3XfQ3HWSHvMLCswDLb19kUvnvB
reg8r35a3iMtkuINP9MlzlHcX08aGZq4AxfnWRBWWin20EfNACw2J1kLstI1/85D
RxRilzAOmi5n2Pfwi3AtdAMmTxtLa1ZS5C0buAEEaVQgHoaxY9WnpOWF5JJGsOQ=
=lCjs
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2584-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
December 08, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : iceape
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Debian Bug :
For the stable distribution (squeeze), these problems have been fixed in
version 2.0.11-17.
For the testing distribution (wheezy), these problems have been fixed in
version 2.7.11-1.
For the unstable distribution (sid), these problems have been fixed in
version 2.7.11-1.
We recommend that you upgrade your iceape packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJQw0kOAAoJEG3bU/KmdcCleekH/jz8nZeU/C3XgWYtolzGRkIJ
ElCSrMWPv2wulLES/ZqtO6LgHLWA3asP5V5GXCQCO2zNhH1b46grY3VfCgvfuDr7
pY6f4EFerO3gvZoBG668iUssaHLBDxyf2hGKXpzRPFNUu4vGrOpplpueuaQbsPPa
LbxSLy1+a7jtUf/vi2SpGaaaNLH4XALgCxOaXrkEZdJI6iXYDgYepThOWIk9mFwz
mZvDFI4YxTfoIZzyyYucJ71hu2+IOiok/tVOEAdeP9aayRjFRdyqVpNBCXyS6Z54
3H93xj6TpYAS8PA307mOFmj/m2NTkp5fpe9SysZUWfHTq1K49X8OgIWGq3irJsg=
=m0Me
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUMU3H+4yVqjM2NGpAQIq/Q/8D3I+DkH5CnJZ2ezNs9domQJClwVFviZX
ffmr8/tFSw/ODskSv+fzojeATfiyaE/ljZ9c8XzOn8uK5ezWujaIwAPXdJ3N/uJk
gkAVvTwGDiDrbhdk8vf+QkT0gkPNwSuA3I2hgPY3SAffqqQe97JdroV0Qhxr4YhW
bG6ihXMOeOk5yvuyBthmuQF6bUaR5GeO3/P6GaCS2Vscy0IZ46+Wy6ePTQErSLCF
6y1ZoXgtohsGlhaP4lECMgdi+oaEW/gCX/YYTMjy4OHMovi3FsX16p563gtUpK90
kqzHZjdtIBGTkO2EwUv4RR5QJR9e38BqxCo1A+gSTv/9VsCAFVAMGfYK8DcTYVEW
MvNe6IfPugIf8hWIRRkcNo7FUFr53pC4P1HhN10yba4sXrlFlgWxUuehGPYyHPS1
qUsbH20j+PtskJdcN8osK/AJVw0c1Y32AWJp6u3+20M6R1EKOm10uWF4uEXYRHM5
G6oW5FEhl2VbJJalBF3BXojLfGA6/DEjcQ4WvU2p/4Gul1b4tod6+aJWVejsiv9r
D+OhVh0/76ghfALi/LpJao9jbocXhIePZn/vDgJII7Jh+40ZhPGwf5Zm8+SAWkKK
cEFaxJch4D5GSxbMQTTH+8JeWBCMHPBHtH04W3BgOnk/k79oQIkNpCQqQmi6b0Qu
wtvyC92JDdw=
=CkLh
-----END PGP SIGNATURE-----