Debian DSA-2312-1 : iceape - several vulnerabilities

NASLDB: Debian DSA-2312-1 : iceape - several vulnerabilities

General

ID: 56339
Name: Debian DSA-2312-1 : iceape – several vulnerabilities

Summary: Checks dpkg output for the updated package

Credits: –

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Vector: –

Port: 0
Family: Debian Local Security Checks
Type: Local

Description

Several vulnerabilities have been found in the Iceape internet suite,
an unbranded version of Seamonkey :

– CVE-2011-2372
Mariusz Mlynski discovered that websites could open a
download dialog â€”Â which has ‘open’ as the default
actionÂ â€”, while a user presses the ENTER key.

– CVE-2011-2995
Benjamin Smedberg, Bob Clary and Jesse Ruderman
discovered crashes in the rendering engine, which could
lead to the execution of arbitrary code.

– CVE-2011-2998
Mark Kaplan discovered an integer underflow in the
JavaScript engine, which could lead to the execution of
arbitrary code.

– CVE-2011-2999
Boris Zbarsky discovered that incorrect handling of the
window.location object could lead to bypasses of the
same-origin policy.

– CVE-2011-3000
Ian Graham discovered that multiple Location headers
might lead to CRLF injection.

The oldstable distribution (lenny) is not affected. The iceape package
only provides the XPCOM code.

Exploiting

Exploit Available: –
Exploitability Ease: –

Sources

CVE: CVE-2011-2372
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: –
Patch Release: 2011/09/29
Plugin Release: 2011/09/30

Plugin

Version: 1.7
Filename: debian_DSA-2312.nasl
Filesize: 4236 bytes
MD5 Hash: 50eaceecf2088743a2714c533ea57d65

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"

Letzte Plugins

Letzte Plugins

scip AG