-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2267
                         iceweasel security update
                              31 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iceweasel
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4498 CVE-2015-4497 

Reference:         ASB-2015.0087
                   ESB-2015.2261

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3345

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3345-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 29, 2015                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : iceweasel
CVE ID         : CVE-2015-4497 CVE-2015-4498

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2015-4497

    Jean-Max Reymond and Ucha Gobejishvili discovered a use-after-free
    vulnerability which occurs when resizing of a canvas element is
    triggered in concert with style changes. A web page containing
    malicious content can cause Iceweasel to crash, or potentially,
    execute arbitrary code with the privileges of the user running
    Iceweasel.

CVE-2015-4498

    Bas Venis reported a flaw in the handling of add-ons installation. A
    remote attacker can take advantage of this flaw to bypass the add-on
    installation prompt and trick a user into installing an add-on from
    a malicious source.

For the oldstable distribution (wheezy), these problems have been fixed
in version 38.2.1esr-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 38.2.1esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 38.2.1esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJV4Ti2AAoJEAVMuPMTQ89EuxQP/3bWxIX2aDy1urpbNZhrIvSC
8QvGSKIhtz9XcCO53oMcah+XTjZEthjKc4wd+wNGEybw9fR6YojFbf/RjLetUMMF
1sDYvt34jRzcz2tLnGqYfY/hLkbxr5L52kcYn1YVZZJ3ol+XFGqm2sf/OTRpiQgl
mvh7NtNjpBGhkL3x85B+wlKvKd0Nz+p83XgQ6qq+PQcm4iusrCyjnc0DwXCngc+1
kSNho0+/aOUnCxpX1QOmyRGqcxUWDmj88YIpg7xBjfcKhTslFiTpYC3yF2dz73+X
MyySK1I7nu9U5alH/eoOd4SaYVdpkufR/MhhCWOxDzTjRtiP+tGAc3/a5/7i6/Kl
B8wPDhgkui2DHLaxz4dsjsuJ1YPfBMDa68+ilCYuNWjTnIid/Yho1vr5a0fQFNqF
vTUaLVH9xnqTUM/SShp79Sta4n7f+NM8DrIJKQQH03D3XwA9NcJWPUoUm6nftdp9
qcvO3du4Zqn8vwxSVb+xNQlQgrrvJ37nvJtVXavSqfAZWKVYeMpNjyqlOcMKvhR0
tbT0x4YhtHs6c1q+BoldnjISe2wHNNWwQNRW8SrM5K+nzReQLjbm28uSWFVWf3Lq
567zgxCsbjlI2oXh3tftG9BY3ylh4mEna1cRhnnrnQU2Nl873sL3YOyuHyheAdTp
g71rt6+1YTi8VmDxycAZ
=tzb9
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVeO7zH6ZAP0PgtI9AQJxUhAAi6Yb9S4ezHF2S+97YIa1A/hkJ60SHKCN
DSi+0aVhFf53+ufMd6QfZtLPiv1JN90vZLaHuuEvqT6lHcdRITViqZAVuc56uL7P
gt8VNj1mZDdX2GlzwTmdt7BG2ZMo6882LbaSYoYupq3bVFGynKJIp0cU8mDQDVLk
3IfMZ8JvNniF5E+qeL3/u5NbCu/1HNp+ajLPy0AcUJu0I583VzbbEYEAPig+CSes
uKN8pb8vWCH2jpGpWeOLOUttWvuUsPvnj066fz5njAtrVUSZb6nWKL2yonVFUJJ8
idKXkjJTPr8XbZOgvV7YiYVg+53eXNpGeD70xrKgxQEDJCb4FaFKdOpniSjcHg6I
pi2HVWszAzaTPmFlo0nYN9Z60xKpVUIk8LMWJj7g2UtRhRZnLZ6Y2Yt39a5VuPb/
0IRV4I9Nx/NWsCxzn+MwGJvkY2+NXLcs4sj2CB9fy4RjKIoW6DbJUQ7pz6bd4wOW
+DnxzEWTClPoYaLrCu37/C0DunEvWAOJ1QfwUfToaigx2uBig8PO3Lm3/t8jA/fy
ZTjnVZBtK7xYkXrJI86fgAYZTqalxECBYuTgHKgeVkuWVG/1MPn3gwr39qZkG87M
rXY72gj7h95xg6xC/o7vTQvCwaaRAaPKcUpVhH+q8Jv1nHJ500mg8TbvZpXfCZl1
SwtWUEQP5vE=
=66NL
-----END PGP SIGNATURE-----