QxzQxz On Dec 16, 2012 3:11 PM, "Florian Weimer" <f...@deneb.enyo.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2588-1 secur...@debian.org > http://www.debian.org/security/ > December 16, 2012 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : icedove > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829 > CVE-2012-5842 > > Multiple vulnerabilities have been found in Icedove, Debian's version > of the Mozilla Thunderbird mail and news client. > > CVE-2012-4201 > The evalInSandbox implementation uses an incorrect context during > the handling of JavaScript code that sets the location.href > property, which allows remote attackers to conduct cross-site > scripting (XSS) attacks or read arbitrary files by leveraging a > sandboxed add-on. > > CVE-2012-4207 > The HZ-GB-2312 character-set implementation does not properly handle > a ~ (tilde) character in proximity to a chunk delimiter, which > allows remote attackers to conduct cross-site scripting (XSS) > attacks via a crafted document. > > CVE-2012-4216 > Use-after-free vulnerability in the gfxFont::GetFontEntry function > allows remote attackers to execute arbitrary code or cause a denial > of service (heap memory corruption) via unspecified vectors. > > CVE-2012-5829 > Heap-based buffer overflow in the nsWindow::OnExposeEvent function could > allow remote attackers to execute arbitrary code. > > CVE-2012-5842 > Multiple unspecified vulnerabilities in the browser engine could > allow remote attackers to cause a denial of service (memory > corruption and application crash) or possibly execute arbitrary > code. > > For the stable distribution (squeeze), these problems have been fixed in > version 3.0.11-1+squeeze15. > > For the unstable distribution (sid), these problems have been fixed in > version 10.0.11-1. > > We recommend that you upgrade your icedove packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJQzcfTAAoJEL97/wQC1SS+GdsH/Rx/EpAuwp8o5fLkccwikL9E > 1mwaGHStjPictslUUPRPU2zcSZF0rFZdGxx7gwgVGQ+EOJ1PU5fEBZoqptZJZsM+ > //kJNAHHX3+08AyEYg92CbAIyVljBAEQTgFC/JAWeIRV7XaXLHxTtZB6bWSN33Ly > aS12xRJxKuaj7w+0T9qLzTdyNFHKfOuHfBum9AYPEQLwOfyH56KnkAnG/x4xFQsj > eO212+j2UqRoC5/sntBm/0jX/ZpiFrrybsnDXmpaBCT8GTRSQ5A0X9oFtf4AOqxE > mOkEsCNxnC3eZp1pP+u92ALcP4zD3Meft6/LnnjofuaLxdGIsT2b2Zhy0ukPhSE= > =ug3g > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/87r4mq87oq....@mid.deneb.enyo.de > >