Search This Blog

Wednesday, June 13, 2007

[SECURITY] [DSA 1305-1] New icedove packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1305-1 security@debian.org
http://www.debian.org/security/

Moritz Muehlenhoff
June 13th, 2007

http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : icedove
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-1558 CVE-2007-2867 CVE-2007-2868

Several remote vulnerabilities have been discovered in the Icedove mail client,
an unbranded version of the Thunderbird client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-1558

Gatan Leurent discovered a cryptographical weakness in APOP
authentication, which reduces the required efforts for an MITM attack
to intercept a password. The update enforces stricter validation, which
prevents this attack.

CVE-2007-2867

Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn
Wargers and Olli Pettay discovered crashes in the layout engine, which
might allow the execution of arbitrary code.

CVE-2007-2868

Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir Palant
discovered crashes in the Javascript engine, which might allow the execution of
arbitrary code. Generally, enabling Javascript in Icedove is not recommended.

Fixes for the oldstable distribution (sarge) are not available. While there
will be another round of security updates for Mozilla products, Debian doesn't
have the ressources to backport further security fixes to the old Mozilla
products. You're strongly encouraged to upgrade to stable as soon as possible.

For the stable distribution (etch) these problems have been fixed in version
1.5.0.12.dfsg1-0etch1.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your icedove packages.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.dsc

Size/MD5 checksum: 1904 782de141f4201acfdb3f64649e8633c1

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.diff.gz

Size/MD5 checksum: 638452 0b382503b7932c6a125a539ad36a9b56

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1.orig.tar.gz

Size/MD5 checksum: 33092818 246c0b87e4bd5b5f81df9bc4ad51f918

Architecture independent components:

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28294 f99aeeb33759ba7db937725c1257dc3c

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28304 f89eb9a9aaa76fb692f870e4865947ab

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28308 0fe7b986606e09ccbc06d35b41c22061

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28286 3c896128dee950a2a718d21e0e839e62

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28276 eed67c8b54582ca5bfec91b72c52a232

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28278 1959e478ec9c1a77619b01873ff822f6

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28300 959ee006281d442ce95ef229641ce827

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28290 5ecf563aca0d85c16e197c222100995b

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28306 c4d49ed78de21cb6112f38d189b93bc6

http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.12.dfsg1-0etch1_all.deb

Size/MD5 checksum: 28264 f951d0f14dd81bf7684d8129814f1a68

Alpha architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 13441302 9e9c3111c0bae2d3b951d2d5a242a9f4

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 52274362 fc61f6dd4176c30e40ce7d1c240b2d04

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 3904592 506da6d9493a19303806e4e4599d245e

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 51900 718719afe0bc423d1353efa0aaccaf18

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 200108 3391daf25055064eb6764c290515a593

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_alpha.deb

Size/MD5 checksum: 64016 8f71e349f0776572f1b47a0430c293ee

AMD64 architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 12139602 c6589e27cfac81ddad462cfcc5dd1a20

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 51380120 b958a63e854cca7a442ee0207206bfd3

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 3625224 099909dc279e37cbfabba5b165b31f88

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 51780 8d98858fe2412be2d3d3b3b2efb20f48

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 195302 5dd2cea99bb81707d2fb3eb437b522f7

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_amd64.deb

Size/MD5 checksum: 60724 24d81815f6ade2ca9e5505bb2be1a1dc

ARM architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 10829726 11a5ea81b564b5b2a66d666a94448da1

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 50725554 f3f0d6ef0eaa89c94998033cd909298f

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 3621960 dbef27a6cbcff0fb0a3b1b71ab38b12d

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 47306 b66e3e1280ad688ff19c846dba1d3e79

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 189468 56ba9915760e9e1d7b3e67ebf8080e9f

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_arm.deb

Size/MD5 checksum: 58506 6ea7bef2259e0bcd5e5e2e90289bda7e

HP Precision architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 13567948 0c42a2559ba36becc3280ed6e4847b39

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 52188544 61673b2091252f8941434c39dd533849

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 3633974 6dcd7d0f6ebacd6963adca1c8d67f3a3

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 53128 3ebf0f6649342d5d0eed34da1b8f8b66

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 198222 888abaea2f5d82483409fb0559ab39f8

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_hppa.deb

Size/MD5 checksum: 64392 889538b4f36141d736e6bd8255335265

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 10876072 4798da0589b3eda451189f4ee837daa6

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 50636714 7cf5cf91aa41e12962a9b54cfcbc1f95

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 3619896 8b82595f5dd7722df603604522e8fe77

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 47684 442980b3b4af19981d3cefeab4c7be16

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 190362 aeebbabe4cd629c53e0b4457909672c5

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_i386.deb

Size/MD5 checksum: 57716 8a4994ffe091c7856528272c7819677e

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 16500728 09d49b0442fd424b4aed1b19cf03c17f

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 51672952 ca7a8a748836b8c7e18f5477fa0ccbd4

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 3674838 4c056de3d838a4b6fd798534134fda83

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 59168 88f4bd4ab03c5114cf877b20d256b136

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 204384 f81bf3f095059110035b527083d21513

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_ia64.deb

Size/MD5 checksum: 73782 0e0446628f65f1971d610f8ea5eb55a8

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 11547504 cb91bfc37e93e7ad7758d8bc88f1ea3b

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 53010312 c000535f52bf6cf0882c24ffb1aa8f99

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 3629758 404d00290b34e0dccbe535486d15d2ef

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 48860 beeb138cb257900367f1a3515663a9bb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 192122 51ba670ff72d85f5d268e76938ef3e1a

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mips.deb

Size/MD5 checksum: 58236 48a92291ff311b4baaa5127ed05fabd2

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 11324984 054ea1a49b85b8ef1c96378a7e374d0d

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 51571486 a8f34224277f5c1ae2a0f61b70d02593

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 3629510 2e916487ac92b5fcf526448f059ba705

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 48698 21fa0e18cf48698b639a42a118f069c4

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 191618 0ea2fb530662a75f87c4900eed37e580

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mipsel.deb

Size/MD5 checksum: 58298 7dbf75a88f7a731046b6e030f39fcb2e

PowerPC architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 11771646 28848cf3b4daa66182ea2e6b3cc9f923

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 53187512 5c06f5751cf333896cefd8cd716d6ee0

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 3625032 e8da32f365cb833338a5f02ef1bd3854

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 49320 a51244d6bcad918b35045910efd3ee41

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 192360 22505d425d81e8c9cfc080e28385bf17

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_powerpc.deb

Size/MD5 checksum: 60046 f5537d555c091d6b21ed376cb285d618

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 12798692 f6c0fdd711173ad917b5ad6a519c39ef

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 52048216 a1b5a704d041b321d381192cc36ec16b

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 3628374 004598a21c81cd2d7c246eae41f8083a

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 52374 ef69f9ba492cc13cb34e7e5ffba9ffd6

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 197070 0910dede4859dc42492de82b278af585

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_s390.deb

Size/MD5 checksum: 61830 4c3b615eeda0bd9ce6563a9c147047c7

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 11083210 15ca31506f5fc73c238fec8c744db051

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 50536416 5da4451d0af12a06d57de7910393b93e

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 3618046 3e22307aa970e88dc69f9e459ee8993e

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 47856 81b806db6c0fe39763603af6758bc76d

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 189880 bf1d05dfd15fbb91a5f4aa369f3802f1

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_sparc.deb

Size/MD5 checksum: 57790 cb8c6d9edd31af176b32dfcf5a6a88a5

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGcCpNXm3vHE4uyloRAly4AJ98IF87LBnkxez/YsOp13kH0mTESwCfZqIk
X6BZRBrnMJzMDbQK9rdXoec=
=rmeM
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: