Spring navigering over

• Om Debian
• Nyheder
• Få fat i Debian
• Support
• Udviklerhjørnet
• Sideoversigt
• Søg

Debians sikkerhedsbulletin

DSA-1696-1 icedove -- flere sårbarheder

Rapporteret den:

7. jan 2009

Berørte pakker:

icedove

Sårbar:

Ja

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2008-0016, CVE-2008-1380, CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070, CVE-2008-4582, CVE-2008-5012, CVE-2008-5014, CVE-2008-5017, CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024, CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5511, CVE-2008-5512.

Yderligere oplysninger:

Flere fjernudnytbare sårbarheder er opdaget i mailklienten Icedove, en version af mailklienten Thunderbird. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:

• CVE-2008-0016

  Justin Schuh, Tom Cross og Peter Williams opdagede et bufferoverløb i fortolkeren af UTF-8-URL'er, hvilket måske kunne føre til udførelse af vilkårlig kode. (MFSA 2008-37)

• CVE-2008-1380

  Man opdagede at nedbrud i JavaScript-maskinen potentielt kunne føre til udførelse af vilkårlig kode. (MFSA 2008-20)

• CVE-2008-3835

  moz_bug_r_a4 opdagede at samme ophav-kontrollen i nsXMLDocument::OnChannelRedirect() kunne omgås. (MFSA 2008-38)

• CVE-2008-4058

  moz_bug_r_a4 opdagede en sårbarhed, der kunne medføre en Chrome-rettighedsforøgelse gennem XPCNativeWrappers. (MFSA 2008-41)

• CVE-2008-4059

  moz_bug_r_a4 opdagede en sårbarhed, der kunne medføre en Chrome-rettighedsforøgelse gennem XPCNativeWrappers. (MFSA 2008-41)

• CVE-2008-4060

  Olli Pettay og moz_bug_r_a4 opdagede en Chrome-rettighedsforøgelsessårbarhed i XSLT-håndtering. (MFSA 2008-41)

• CVE-2008-4061

  Jesse Ruderman opdagede et nedbrud i layout-maskinen, hvilket måske kunne gøre det muligt at udføre vilkårlig kode. (MFSA 2008-42)

• CVE-2008-4062

  Igor Bukanov, Philip Taylor, Georgi Guninski og Antoine Labour opdagede nedbrud i JavaScript-maskinen, hvilket måske kunne gøre det muligt at udføre vilkårlig kode. (MFSA 2008-42)

• CVE-2008-4065

  Dave Reed opdagede at nogle Unicode-byterækkefølgemarkeringer blev fjernet fra JavaScript-kode før udførelse, hvilket kunne medføre udførelse af kode, der ellers var del af en streng i anførselstegn. (MFSA 2008-43)

• CVE-2008-4067

  Man opdagede at et mappegennemløb gjorde det muligt for angribere at læse vilkårlige filer via et bestemt tegn. (MFSA 2008-44)

• CVE-2008-4068

  Man opdagede at et mappegennemløb gjorde det muligt for angribere at omgå sikkerhedsbegrænsninger og få fat i følsomme oplysninger. (MFSA 2008-44)

• CVE-2008-4070

  Man opdagede at et bufferoverløb kunne udløses gennem en lang header i en nyhedsartikel, hvilket kunne føre til udførelse af vilkårlig kode. (MFSA 2008-46)

• CVE-2008-4582

  Liu Die Yu og Boris Zbarsky opdagede en informationslækage gennem lokale genvejsfiler. (MFSA 2008-47, MFSA 2008-59)

• CVE-2008-5012

  Georgi Guninski, Michal Zalewski og Chris Evan opdagede at canvas-elementet kunne anvendes til at omgå samme ophav-begrænsninger. (MFSA 2008-48)

• CVE-2008-5014

  Jesse Ruderman opdagede at en programmingsfejl i objektet window.__proto__.__proto__ kunne føre til udførelse af vilkårlig kode. (MFSA 2008-50)

• CVE-2008-5017

  Man opdagede at nedbrud i layout-maskinen kunne føre til udførelse af vilkårlig kode. (MFSA 2008-52)

• CVE-2008-5018

  Man opdagede at nedbrud i JavaScript-maskinen kunne føre til udførelse af vilkårlig kode. (MFSA 2008-52)

• CVE-2008-5021

  Man opdagede at et nedbrud i nsFrameManager måske kunne føre til udførelse af vilkårlig kode. (MFSA 2008-55)

• CVE-2008-5022

  moz_bug_r_a4 opdagede at samme ophav-kontroller i nsXMLHttpRequest::NotifyEventListeners() kunne omgås. (MFSA 2008-56)

• CVE-2008-5024

  Chris Evans opdagede at anførselstegn blev indkaplset på ukorrekt vis i standardnavnerummet i E4X-dokumenter. (MFSA 2008-58)

• CVE-2008-5500

  Jesse Ruderman opdagede at layout-maskinen var sårbar over for lammelsesangreb (DoS), der måske kunne udløse hukommelseskorruption og heltalsoverløb. (MFSA 2008-60)

• CVE-2008-5503

  Boris Zbarsky opdagede at et informationsafsløringsangreb kunne udføres gennem XBL-bindinger. (MFSA 2008-61)

• CVE-2008-5506

  Marius Schilder opdagede at det var muligt at få fat i følsomme oplysninger gennem XMLHttpRequest. (MFSA 2008-64)

• CVE-2008-5507

  Chris Evans opdagede at det var muligt at få fat i følsomme oplysninger gennem en JavaScript-URL. (MFSA 2008-65)

• CVE-2008-5508

  Chip Salzenberg opdagede mulige phising-angreb gennem URL'er med foranstillet whitespace eller kontroltegn. (MFSA 2008-66)

• CVE-2008-5511

  Man opdagede at det var muligt at udføre skripter på tværs af websteder gennem en XBL-binding til et "unloaded document." (MFSA 2008-68)

• CVE-2008-5512

  Man opdagede at det var muligt at køre vilkårligt JavaScript med Chrome-rettigheder gennem ukendte angrebsvinkler. (MFSA 2008-68)

I den stabile distribution (etch) er disse problemer rettet i version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1. Pakker til s390 vil blive stillet til rådighed senere.

I den kommende stabile distribution (lenny) vil disse problemer snart blive rettet.

I den ustabile (sid) distribution er disse problemer rettet i version 2.0.0.19-1.

Vi anbefaler at du opgraderer dine icedove-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1.diff.gz

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i.orig.tar.gz

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1.dsc

Arkitekturuafhængig komponent:

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb

Alpha:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb

HP Precision:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb

Big-endian MIPS:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb

Little-endian MIPS:

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

Denne side findes også på følgende sprog:

English français 日本語 (Nihongo) svenska

Sådan opsætter du standardsprogvalg for dokumenter