BSA-010 Security Update for iceweasel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexander Reichle-Schmehl uploaded new packages for iceweasel which fixed the
following security problems:
CVE-2010-3174
CVE-2010-3176
Multiple unspecified vulnerabilities in the browser engine in
Iceweasel allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.
CVE-2010-3177
Multiple cross-site scripting (XSS) vulnerabilities in the
Gopher parser in Iceweasel allow remote attackers to inject
arbitrary web script or HTML via a crafted name of a (1) file
or (2) directory on a Gopher server.
CVE-2010-3178
Iceweasel does not properly handle certain modal calls made by
javascript: URLs in circumstances related to opening a new
window and performing cross-domain navigation, which allows
remote attackers to bypass the Same Origin Policy via a
crafted HTML document.
CVE-2010-3179
Stack-based buffer overflow in the text-rendering
functionality in Iceweasel allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption
and application crash) via a long argument to the
document.write method.
CVE-2010-3180
Use-after-free vulnerability in the nsBarProp function in
Iceweasel allows remote attackers to execute arbitrary code by
accessing the locationbar property of a closed window.
CVE-2010-3183
The LookupGetterOrSetter function in Iceweasel does not
properly support window.__lookupGetter__ function calls that
lack arguments, which allows remote attackers to execute
arbitrary code or cause a denial of service (incorrect pointer
dereference and application crash) via a crafted HTML
document.
For the lenny-backports distribution the problems have been fixed in
version 3.5.15-1~bpo50+1.
Upgrade instructions
- --------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJM0DR0AAoJEMJLZaJnLIsS2FwP/33ZFIRH4+VZUQp029hLIqiy
eOOd5SDBK2PymaKvaCbFHE+l1HpH3gjWnBqTfHSNP1K3fTUzRl34bNVANfuqTR3j
LoNUlxEWAI6xCx6y5d996jgdfTDZs/CKBAXaMBFH45R3mNW3mmX4tarNrOEdjrsO
vEYUfgchzel9t06vyvovvndmbMHs1nkjGz1JvzYmTXIIE9Ej/LepqA5ORe2t919c
1ck8AAyJ6tjAVuXIztj+QXgBYDK8yw4hzAJsRK6/ZmkvBGhOIWBQL4yhkD2i3a9n
pr+h/Z0Q56qlltWkwPpqTw7fUlikDnWFD7dzMvOKb96w/+I8fLRchqTKOz1yq8da
kPGgvoApGnFbMtaey6SgV3cZVme2UTBVD0JdGtXu8qM6MbukP+6tn1ReuCCPu1aE
D6W/qbmoYNJFuRtcErkEtNBQlrFJ/Owq9dyliBIzRbM+Z0307/Q2dab+uMH3CqfC
7oiImj4YNEQeniaS86WMDQ4BIT4QXwZ1vAfR3zF7DqGAMvjKJ4M9p5D2mTr4h7cn
MCZd7F716PvBnCedY6dx19waPcrDyTM0nvBeCV7+JAa3PIMX1oRtljcifecE6CuG
EiHEgDrvncYxLtv4aWT31YFGaaEd/wArYi0w1vAMoT+xQRnZCwHVkdsdblb4w/Oy
dhK0tmhijSt5re8d8CgD
=ACfz
-----END PGP SIGNATURE-----
Reply to: