BSA-010 Security Update for iceweasel

To: debian-backports-announce@lists.debian.org
Subject: BSA-010 Security Update for iceweasel
From: Alexander Reichle-Schmehl <tolimar@debian.org>
Date: Tue, 2 Nov 2010 16:55:32 +0100
Message-id: <[🔎] 20101102155532.GI2261@melusine.alphascorpii.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alexander Reichle-Schmehl uploaded new packages for iceweasel which fixed the
following security problems:

CVE-2010-3174
CVE-2010-3176
	Multiple unspecified vulnerabilities in the browser engine in
	Iceweasel allow remote attackers to cause a denial of service
	(memory corruption and application crash) or possibly execute
	arbitrary code via unknown vectors.

CVE-2010-3177
	Multiple cross-site scripting (XSS) vulnerabilities in the
	Gopher parser in Iceweasel allow remote attackers to inject
	arbitrary web script or HTML via a crafted name of a (1) file
	or (2) directory on a Gopher server.

CVE-2010-3178
	Iceweasel does not properly handle certain modal calls made by
	javascript: URLs in circumstances related to opening a new
	window and performing cross-domain navigation, which allows
	remote attackers to bypass the Same Origin Policy via a
	crafted HTML document.

CVE-2010-3179
	Stack-based buffer overflow in the text-rendering
	functionality in Iceweasel allows remote attackers to execute
	arbitrary code or cause a denial of service (memory corruption
	and application crash) via a long argument to the
	document.write method.

CVE-2010-3180
	Use-after-free vulnerability in the nsBarProp function in
	Iceweasel allows remote attackers to execute arbitrary code by
	accessing the locationbar property of a closed window.

CVE-2010-3183
	The LookupGetterOrSetter function in Iceweasel does not
	properly support window.__lookupGetter__ function calls that
	lack arguments, which allows remote attackers to execute
	arbitrary code or cause a denial of service (incorrect pointer
	dereference and application crash) via a crafted HTML
	document.

For the lenny-backports distribution the problems have been fixed in
version 3.5.15-1~bpo50+1.

Upgrade instructions
- --------------------

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>

We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed  backports will be installed
automatically. 

  Package: *
  Pin: release a=lenny-backports
  Pin-Priority: 200

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJM0DR0AAoJEMJLZaJnLIsS2FwP/33ZFIRH4+VZUQp029hLIqiy
eOOd5SDBK2PymaKvaCbFHE+l1HpH3gjWnBqTfHSNP1K3fTUzRl34bNVANfuqTR3j
LoNUlxEWAI6xCx6y5d996jgdfTDZs/CKBAXaMBFH45R3mNW3mmX4tarNrOEdjrsO
vEYUfgchzel9t06vyvovvndmbMHs1nkjGz1JvzYmTXIIE9Ej/LepqA5ORe2t919c
1ck8AAyJ6tjAVuXIztj+QXgBYDK8yw4hzAJsRK6/ZmkvBGhOIWBQL4yhkD2i3a9n
pr+h/Z0Q56qlltWkwPpqTw7fUlikDnWFD7dzMvOKb96w/+I8fLRchqTKOz1yq8da
kPGgvoApGnFbMtaey6SgV3cZVme2UTBVD0JdGtXu8qM6MbukP+6tn1ReuCCPu1aE
D6W/qbmoYNJFuRtcErkEtNBQlrFJ/Owq9dyliBIzRbM+Z0307/Q2dab+uMH3CqfC
7oiImj4YNEQeniaS86WMDQ4BIT4QXwZ1vAfR3zF7DqGAMvjKJ4M9p5D2mTr4h7cn
MCZd7F716PvBnCedY6dx19waPcrDyTM0nvBeCV7+JAa3PIMX1oRtljcifecE6CuG
EiHEgDrvncYxLtv4aWT31YFGaaEd/wArYi0w1vAMoT+xQRnZCwHVkdsdblb4w/Oy
dhK0tmhijSt5re8d8CgD
=ACfz
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: BSA-009 Security Update for nss
Next by Date: BSA-011 Security Update for znc
Previous by thread: BSA-009 Security Update for nss
Next by thread: BSA-011 Security Update for znc
Index(es):
- Date
- Thread