Debian Security Advisory
DSA-2186-1 iceweasel -- several vulnerabilities
- Date Reported:
- 09 Mar 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-1585, CVE-2011-0051, CVE-2011-0053, CVE-2011-0054, CVE-2011-0055, CVE-2011-0055, CVE-2011-0056, CVE-2011-0057, CVE-2011-0059.
- More information:
Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.
Roberto Suggi Liverani discovered that the sanitising performed by ParanoidFragmentSink was incomplete.
Zach Hoffmann discovered that incorrect parsing of recursive eval() calls could lead to attackers forcing acceptance of a confirmation dialogue.
Crashes in the layout engine may lead to the execution of arbitrary code.
regenrechtand Igor Bukanov discovered a use-after-free error in the JSON-Implementation, which could lead to the execution of arbitrary code.
Daniel Kozlowski discovered that incorrect memory handling the web workers implementation could lead to the execution of arbitrary code.
Peleus Uhley discovered a cross-site request forgery risk in the plugin code.
For the oldstable distribution (lenny), this problem has been fixed in version 18.104.22.168-8 of the xulrunner source package.
For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-5.
For the unstable distribution (sid), this problem has been fixed in version 3.5.17-1.
We recommend that you upgrade your iceweasel packages.