Your message dated Wed, 17 Dec 2008 21:03:02 +0000
with message-id <e1ld3xq-0006gw...@ries.debian.org>
and subject line Bug#505558: fixed in iceweasel 2.0.0.18-0etch1
has caused the Debian Bug report #505558,
regarding Mozilla Firefox 2 Multiple Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
505558: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505558
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: iceweasel
Version: 2.0.0.17-0etch1
Severity: critical
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The following SA (Secunia Advisory) id was published for Firefox 2:
SA32693[1]
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be
exploited by malicious people to disclose sensitive information, bypass
certain security restrictions, or compromise a user's system.
1) An error in the processing of ".url" shortcuts can be exploited to
obtain sensitive information from the local cache.
For more information:
SA32192
2) An error in the handling of HTTP redirect requests can be exploited
to bypass the same-origin policy and access sensitive information from
another domain.
3) An error exists when testing if a Flash module is dynamically
unloaded. This can be exploited to dereference memory no longer mapped
to the Flash module via an SWF file that dynamically unloads itself from
an outside JavaScript function.
4) An error when locking a non-native object can be exploited to cause a
crash via a web page assigning a specially crafted value to the
"window.__proto__.__proto__" object.
5) An error in the browser engine can be exploited to cause a memory
corruption.
6) Two errors in the JavaScript engine can be exploited to cause memory
corruptions.
Successful exploitation of vulnerabilities #3-#6 may allow execution of
arbitrary code.
7) An error in the browser's restore feature can be exploited to violate
the same-origin policy and run arbitrary JavaScript code in the context
of another site.
NOTE: The vulnerability can also be exploited to execute arbitrary
JavaScript code with chrome privileges.
8) An error in the processing of the "http-index-format" MIME type can
be exploited to execute arbitrary code via a specially crafted 200
header line included in an HTTP index response.
9) An error in the DOM constructing code can be exploited to dereference
uninitialized memory and potentially execute arbitrary code by modifying
certain properties of a file input element before the element has
finished initializing.
10) An error in the implementation of the
"nsXMLHttpRequest::NotifyEventListeners()" method can be exploited to
execute arbitrary JavaScript code in the context of another site.
11) An error when handling the "-moz-binding" CSS property can be
exploited to manipulate signed JAR files and execute arbitrary
JavaScript code in the context of another site.
12) An error exists when parsing the default XML namespace of an E4X
document. This can be exploited to inject arbitrary XML code via a
specially crafted namespace containing quote characters.
The vulnerabilities are reported in versions prior to 2.0.0.18.
Solution:
Update to version 2.0.0.18.
CVE reference:
CVE-2008-0017
CVE-2008-4582
CVE-2008-5012
CVE-2008-5013
CVE-2008-5014
CVE-2008-5017
CVE-2008-5018
CVE-2008-5019
CVE-2008-5021
CVE-2008-5022
CVE-2008-5023
CVE-2008-5024
If you fix the vulnerability please also make sure to include the the
CVE id in the changelog entry.
[1] http://secunia.com/advisories/32693/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkcOnkACgkQNxpp46476aq8uwCeOoUJekricOaj+E04X2PPg3bf
5wQAniz3ycwyj0KlvdGJvTFAum/tBrlV
=qeCk
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: iceweasel
Source-Version: 2.0.0.18-0etch1
We believe that the bug you reported is fixed in the latest version of
iceweasel, which is due to be installed in the Debian FTP archive:
firefox-dom-inspector_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/firefox-dom-inspector_2.0.0.18-0etch1_all.deb
firefox-gnome-support_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/firefox-gnome-support_2.0.0.18-0etch1_all.deb
firefox_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/firefox_2.0.0.18-0etch1_all.deb
iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
to pool/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
to pool/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
iceweasel_2.0.0.18-0etch1.diff.gz
to pool/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.diff.gz
iceweasel_2.0.0.18-0etch1.dsc
to pool/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.dsc
iceweasel_2.0.0.18-0etch1_amd64.deb
to pool/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_amd64.deb
iceweasel_2.0.0.18.orig.tar.gz
to pool/main/i/iceweasel/iceweasel_2.0.0.18.orig.tar.gz
mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
mozilla-firefox_2.0.0.18-0etch1_all.deb
to pool/main/i/iceweasel/mozilla-firefox_2.0.0.18-0etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 505...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <e...@debian.org> (supplier of updated iceweasel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 23 Nov 2008 13:49:19 -0500
Source: iceweasel
Binary: firefox-dom-inspector mozilla-firefox iceweasel-gnome-support iceweasel
mozilla-firefox-dom-inspector iceweasel-dbg firefox-gnome-support
iceweasel-dom-inspector mozilla-firefox-gnome-support firefox
Architecture: source all amd64
Version: 2.0.0.18-0etch1
Distribution: stable-security
Urgency: critical
Maintainer: Eric Dorland <e...@debian.org>
Changed-By: Eric Dorland <e...@debian.org>
Description:
firefox - Transition package for iceweasel rename
firefox-dom-inspector - Transition package for iceweasel rename
firefox-gnome-support - Transition package for iceweasel rename
iceweasel - lightweight web browser based on Mozilla
iceweasel-dbg - debugging symbols for iceweasel
iceweasel-dom-inspector - tool for inspecting the DOM of pages in Iceweasel
iceweasel-gnome-support - Support for Gnome in Iceweasel
mozilla-firefox - Transition package for iceweasel rename
mozilla-firefox-dom-inspector - Transition package for iceweasel rename
mozilla-firefox-gnome-support - Transition package for iceweasel rename
Closes: 505558
Changes:
iceweasel (2.0.0.18-0etch1) stable-security; urgency=critical
.
* New upstream security release.
* Fixes mfsa 2008-47 aka CVE-2008-4582; mfsa 2008-48 aka CVE-2008-5012;
mfsa 2008-49 aka CVE-2008-5013; mfsa 2008-50 aka CVE-2008-5014; mfsa
2008-52 aka CVE-2008-5017 and CVE-2008-5018; mfsa 2008-53 aka
CVE-2008-5019; mfsa 2008-54 aka CVE-2008-0017; mfsa 2008-55 aka
CVE-2008-5021; mfsa 2008-56 aka CVE-2008-5022; mfsa 2008-57 aka
CVE-2008-5023; mfsa 2008-58 aka CVE-2008-5024. (Closes: #505558)
Files:
84983c4e7f053c1f0eb3ea3d154bc6ad 1289 web optional
iceweasel_2.0.0.18-0etch1.dsc
ad1a208d95dedeafddbe7377de88d4d9 47266681 web optional
iceweasel_2.0.0.18.orig.tar.gz
18d2492164c72b846fab74bd75a69e1b 186777 web optional
iceweasel_2.0.0.18-0etch1.diff.gz
beeee1e8cab02ec9a70d89df8db4610b 239810 web optional
iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
09fdae147e16b09ad51544ab1fd218e6 55274 web optional
mozilla-firefox_2.0.0.18-0etch1_all.deb
15636d866284ca7caf11bd939792df97 54480 web optional
mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
73ed36d6990d6b86e8fccef00a9029b1 54478 gnome optional
mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
045a9714ca0a04061cee79bc16b4b940 54742 web optional
firefox_2.0.0.18-0etch1_all.deb
bcc4bd1443fe23e5311396949bac9f32 54626 web optional
firefox-dom-inspector_2.0.0.18-0etch1_all.deb
62200645f81cd0e505fd40382333d010 54596 gnome optional
firefox-gnome-support_2.0.0.18-0etch1_all.deb
a38d4ae01ab60abab641411ee7aedba1 10213098 web optional
iceweasel_2.0.0.18-0etch1_amd64.deb
4e4a404cb859067e8804b793b06b1a5a 88014 gnome optional
iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
3fe64a570e13497a49ac77972ead0ac0 50189682 devel extra
iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJKcJgYemOzxbZcMYRApeVAJ0S4hvzPUcui5pkmoTjf1+3iYSvEACgxHGn
2pEC5dNMuRMCdYkAu+hIWBU=
=wTZO
-----END PGP SIGNATURE-----
--- End Message ---
