Debian Security Advisory
DSA-2345-1 icedove -- several vulnerabilities
- Date Reported:
- 11 Nov 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-3647, CVE-2011-3648, CVE-2011-3650.
- More information:
Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird.
The JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior.
A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze6.
For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 3.1.15-1.
We recommend that you upgrade your icedove packages.