Debian Security Advisory
DSA-2406-1 icedove -- several vulnerabilities
- Date Reported:
- 09 Feb 2012
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-3670, CVE-2012-0442, CVE-2012-0444, CVE-2012-0449.
- More information:
Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base.
Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages.
Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code.
Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.
Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document.
For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze7.
We recommend that you upgrade your icedove packages.