Search This Blog

Thursday, June 07, 2007

[SECURITY] [DSA 1300-1] New iceape packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1300-1 security@debian.org
http://www.debian.org/security/

Moritz Muehlenhoff
June 7th, 2007

http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2870 CVE-2007-2871

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-1362

Nicolas Derouet discovered that Iceape performs insufficient
validation of cookies, which could lead to denial of service.

CVE-2007-1558

Gatan Leurent discovered a cryptographical weakness in APOP
authentication, which reduces the required efforts for an MITM attack
to intercept a password. The update enforces stricter validation, which
prevents this attack.

CVE-2007-2867

Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn
Wargers and Olli Pettay discovered crashes in the layout engine, which
might allow the execution of arbitrary code.

CVE-2007-2868

Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir Palant
discovered crashes in the javascript engine, which might allow the execution of
arbitrary code.

CVE-2007-2870

"moz_bug_r_a4" discovered that adding an event listener through the
addEventListener() function allows cross-site scripting.

CVE-2007-2871

Chris Thomas discovered that XUL popups can can be abused for spoofing or
phishing attacks.

Fixes for the oldstable distribution (sarge) are not available. While there
will be another round of security updates for Mozilla products, Debian doesn't
have the ressources to backport further security fixes to the old Mozilla
products. You're strongly encouraged to upgrade to stable as soon as possible.

For the stable distribution (etch) these problems have been fixed in version
1.0.9-0etch1. A build for the arm architecture is not yet available, it will
be provided later.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your iceape packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.9-0etch1.dsc

Size/MD5 checksum: 1403 fac51ae60382306a1f5937d393cad9b8

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.9-0etch1.diff.gz

Size/MD5 checksum: 265235 f0632d0ab1011723516b42ddc3fbf077

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.9.orig.tar.gz

Size/MD5 checksum: 42936008 f3f2409c45e5e48124159f71c3f305db

Architecture independent components:

http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.9-0etch1_all.deb

Size/MD5 checksum: 278514 abeb91d6d747fbd2a2dc4c53a0c1b730

http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.9-0etch1_all.deb

Size/MD5 checksum: 3655228 aeaa72117bdef3db570d175294003567

http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.9-0etch1_all.deb

Size/MD5 checksum: 27642 2c103331d2f75caab26dc5c5c5b53db5

http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 27172 6461173091e780104247676063370dd4

http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26244 3a26fad0fccac9cb3f0a3826eaba0398

http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26258 6c114441ed304d22a68626e641714a32

http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26380 36e2977fd80cdf0e5132d3e5d3d7566f

http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26280 4f803f93ba3146cf3568a8255d7ff1ce

http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26276 fc04a5e05749f469061437aebce7e25c

http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26266 b14a9f36ebf0b29133dd6d136d74b1d4

http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26248 ffa152a5ad9a647f7b6c7b509542b6c4

http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.9-0etch1_all.deb

Size/MD5 checksum: 26240 ef0a008c5d7c4d832dde3bb10fa06ef1

Alpha architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 12865430 8418f1985dc4615ef0507f14c06ab65a

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 625182 0a1b310be2bd861d5686b03b9ac1ad4a

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 60530626 66a769a586e4bce6abfcae5f31abd779

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 196750 364d4c0c512880760c200dcc796100cc

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 52960 1c12d82410100d48a17ec75c4fc0c0d4

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_alpha.deb

Size/MD5 checksum: 2281764 4955a49cf9ef25f24ffd37768864564d

AMD64 architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 11647006 a84a6860787ef130576e7fb11f8eabec

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 608506 1bf656a5edc44eb320997a42a1fad33c

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 59537150 2ed3859e18f3bab0b6b48e6d91e653c3

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 193924 7b741afe2710da66e2306f681a8323a5

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 52456 c762266f74dd5db459d4b40763c70d10

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_amd64.deb

Size/MD5 checksum: 2090278 1fff0ff3907d8990df3874a295ab795b

HP Precision architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 12941432 53b838fbda55ae87993a2be1bb8787f6

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 614398 15b391e088060d1065354384af4dd688

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 60391748 e26a56439db9415ae0226c4fa28c2e79

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 196962 cb87bee865d7f77a525d3e75707c50a0

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 53538 93a72fdb9dacbf0f690a6c20222842a5

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_hppa.deb

Size/MD5 checksum: 2338650 4e68071e6271350ad331f6f387328450

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 10454294 da901720379e4b1bad94459ba8053687

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 587850 ec7ad19e450d2490ff3ebd1b50bf4096

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 58613040 7ffa59d625d92dd2975c8df5ffe773c7

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 188602 970dba31c02d4fecf9418f4d2e783dff

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 47562 a8435ff7e0e9256fd18dba5563a52f61

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_i386.deb

Size/MD5 checksum: 1889432 af7c62e7b76245ca48a8253beb9d450d

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 15756760 95de0b7bb5cd9b7f4f9f30b6eb0880cd

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 660486 7903f3f9c0dc33d2a603d67ec1796d4f

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 59810372 007d904791cfd676855b88dcb837f8ee

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 203602 e6ec5ad7093347c8bae4a4bf5232ba98

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 61072 976efb7973f37f1dea1304d65aeaac3f

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_ia64.deb

Size/MD5 checksum: 2815398 1e2078b5d7adab616fa3f5dc16bee183

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 11102688 a2332134ba7eca56ea9d2fd2300d38fd

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 598284 8db74e82ba6915c61ad634cd2997c34e

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 61397714 de6b3f48f35ad453900025ec3de34baf

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 190580 089d2bfc82e5bbccd28e2d39d63ff3e5

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 49058 fba4238a8887be242521fc1b13329a68

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_mips.deb

Size/MD5 checksum: 1955378 a5e472ed92e8be52cee996d111210732

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 10890126 da61a2407cb332806ef54f30c6683055

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 594906 6da11b3f0e5da40aac23e8fcea295405

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 59749198 d336210141b28e1e54c351d7da403e76

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 190102 a5619388f97802a39a7ebd8e72930581

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 48856 85ccbe07938b1b0bd7c2bb6f5116b1e5

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_mipsel.deb

Size/MD5 checksum: 1940148 1f5dd8c10e94e3362ef3ce6abca7665c

PowerPC architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 11286956 52990bdec220bab9968d859c79e8cbe8

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 595182 6f9393fc2c13eea7e281a57b6955cd05

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 61536458 981f8b40052ab8a3d78fbd7a90acedf7

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 190982 d7e50ff547bf3a4f7633ab5dd56c8e9e

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 48376 9409001d405fdbf55a9825ee3f60cf85

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_powerpc.deb

Size/MD5 checksum: 2005444 0b699049484cc571b7516efc43afd6ad

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 12266856 9014128ea5980d3ee1c6203883ec3d42

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 610568 1f7d3b6e02bca35cac33df9083ec5809

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 60291956 fb54cc2a913940344cd70799511ac524

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 195766 9a53913dc7c84a73b32aa438f51e5c36

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 53044 2b8eeeeacfdc9fbbf891103af7b97e08

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_s390.deb

Size/MD5 checksum: 2184358 c233670f97859a3e1e18ae168cd4a1c6

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 10634168 95edbd8c95e760fef36e0ca194fc1c23

http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 584234 50ca6c5a2b8031467cf7e77aba71f9d8

http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 58430974 883810feeb6d0e95df3cbe98899e3103

http://security.debian.org/pool/updates/main/i/iceape/iceape-dom-inspector_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 188526 4b3615b67bda657d68b2922a6a1dffe8

http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 47082 4089406c7cefccf3692c8d4dba2119a7

http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.9-0etch1_sparc.deb

Size/MD5 checksum: 1894500 9a1ce67eca6cfbc42c2394783ed10234


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGaGd1Xm3vHE4uyloRAtH7AKClPnM3e436w+E2fVRpU94CkPdcNgCgw1ZZ
RkET7viqTwTrf9/ZMcjI5to=
=AO3n
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: