Package: iceweasel Version: 38.1.0esr-3 Severity: grave Tags: security upstream Justification: user security hole
Dear Maintainer, This is related to mozilla bug 814169, Where a user using default settings hover over a link without clicking on it ( which trigger a link prefetch case). this will leak device information and provide access to user wallet. Many services are pay per use, and merely clinking on a link will cause the provider to sucbsribe to the services. And in cases of pay per-ad this will cause unwanted charges for the user. I belive that at least network-prefetch-next and network.http.speculative-parallel-limit should be disabled by default. https://bugzilla.mozilla.org/show_bug.cgi?id=814169 the workarounds for that bug is to disable the network-prefetch-next and network.http.speculative-parallel-limit -- Package-specific info: -- Extensions information Name: Adblock Plus Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi Status: enabled Name: BetterPrivacy Location: ${PROFILE_EXTENSIONS}/{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi Status: enabled Name: Default theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled Name: Flashblock Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a} Status: enabled Name: HTTPS-Everywhere Location: ${PROFILE_EXTENSIONS}/[email protected] Status: enabled Name: NoScript Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi Status: enabled Name: Places Maintenance Location: ${PROFILE_EXTENSIONS}/[email protected] Status: enabled -- Plugins information Name: MozPlugger 1.14.5 handles QuickTime and Windows Media Player Plugin (1.14.5) Location: /usr/lib/mozilla/plugins/mozplugger.so Package: mozplugger Status: disabled -- Addons package information ii iceweasel 38.1.0esr-3 amd64 Web browser based on Firefox ii mozplugger 1.14.5-2 amd64 Plugin allowing external viewers -- System Information: Debian Release: stretch/sid APT prefers stable APT policy: (1001, 'stable'), (900, 'testing'), (200, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages iceweasel depends on: ii debianutils 4.5.1 ii fontconfig 2.11.0-6.3 ii libasound2 1.0.29-1 ii libatk1.0-0 2.16.0-2 ii libc6 2.19-19 ii libcairo2 1.14.2-2 ii libdbus-1-3 1.8.20-1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-5 2.0.21-stable-2 ii libffi6 3.2.1-3 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-4 ii libgcc1 1:5.2.1-14 ii libgdk-pixbuf2.0-0 2.31.5-1 ii libglib2.0-0 2.44.1-1.1 ii libgtk2.0-0 2.24.28-1 ii libhunspell-1.3-0 1.3.3-3 ii libnspr4 2:4.10.8-2 ii libnss3 2:3.19.2-1 ii libpango-1.0-0 1.36.8-3 ii libsqlite3-0 3.8.11.1-1 ii libstartup-notification0 0.12-4 ii libstdc++6 4.9.2-10 ii libvpx2 1.4.0-4 ii libx11-6 2:1.6.3-1 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxrender1 1:0.9.8-1+b1 ii libxt6 1:1.1.4-1+b1 ii procps 2:3.3.10-2 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages iceweasel recommends: ii gstreamer1.0-libav 1.4.5-3 ii gstreamer1.0-plugins-good 1.4.5-2+b1 Versions of packages iceweasel suggests: ii fonts-mathjax 2.5.3-1 pn fonts-oflb-asana-math <none> ii fonts-stix [otf-stix] 1.1.1-3 ii libcanberra0 0.30-2.1 ii libgnomeui-0 2.24.5-3 ii libgssapi-krb5-2 1.13.2+dfsg-2 ii mozplugger 1.14.5-2 -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
