-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1305-1 security@xxxxxxxxxx http://www.debian.org/security/ Moritz Muehlenhoff June 13th, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : icedove Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1558 Gatan Leurent discovered a cryptographical weakness in APOP authentication, which reduces the required efforts for an MITM attack to intercept a password. The update enforces stricter validation, which prevents this attack. CVE-2007-2867 Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn Wargers and Olli Pettay discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2007-2868 Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 and Wladimir Palant discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Generally, enabling Javascript in Icedove is not recommended. Fixes for the oldstable distribution (sarge) are not available. While there will be another round of security updates for Mozilla products, Debian doesn't have the ressources to backport further security fixes to the old Mozilla products. You're strongly encouraged to upgrade to stable as soon as possible. For the stable distribution (etch) these problems have been fixed in version 1.5.0.12.dfsg1-0etch1. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your icedove packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.dsc Size/MD5 checksum: 1904 782de141f4201acfdb3f64649e8633c1 http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.diff.gz Size/MD5 checksum: 638452 0b382503b7932c6a125a539ad36a9b56 http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1.orig.tar.gz Size/MD5 checksum: 33092818 246c0b87e4bd5b5f81df9bc4ad51f918 Architecture independent components: http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28294 f99aeeb33759ba7db937725c1257dc3c http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28304 f89eb9a9aaa76fb692f870e4865947ab http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28308 0fe7b986606e09ccbc06d35b41c22061 http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28286 3c896128dee950a2a718d21e0e839e62 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28276 eed67c8b54582ca5bfec91b72c52a232 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28278 1959e478ec9c1a77619b01873ff822f6 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28300 959ee006281d442ce95ef229641ce827 http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28290 5ecf563aca0d85c16e197c222100995b http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28306 c4d49ed78de21cb6112f38d189b93bc6 http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.12.dfsg1-0etch1_all.deb Size/MD5 checksum: 28264 f951d0f14dd81bf7684d8129814f1a68 Alpha architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 13441302 9e9c3111c0bae2d3b951d2d5a242a9f4 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 52274362 fc61f6dd4176c30e40ce7d1c240b2d04 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 3904592 506da6d9493a19303806e4e4599d245e http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 51900 718719afe0bc423d1353efa0aaccaf18 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 200108 3391daf25055064eb6764c290515a593 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_alpha.deb Size/MD5 checksum: 64016 8f71e349f0776572f1b47a0430c293ee AMD64 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 12139602 c6589e27cfac81ddad462cfcc5dd1a20 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 51380120 b958a63e854cca7a442ee0207206bfd3 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 3625224 099909dc279e37cbfabba5b165b31f88 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 51780 8d98858fe2412be2d3d3b3b2efb20f48 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 195302 5dd2cea99bb81707d2fb3eb437b522f7 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_amd64.deb Size/MD5 checksum: 60724 24d81815f6ade2ca9e5505bb2be1a1dc ARM architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 10829726 11a5ea81b564b5b2a66d666a94448da1 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 50725554 f3f0d6ef0eaa89c94998033cd909298f http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 3621960 dbef27a6cbcff0fb0a3b1b71ab38b12d http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 47306 b66e3e1280ad688ff19c846dba1d3e79 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 189468 56ba9915760e9e1d7b3e67ebf8080e9f http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_arm.deb Size/MD5 checksum: 58506 6ea7bef2259e0bcd5e5e2e90289bda7e HP Precision architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 13567948 0c42a2559ba36becc3280ed6e4847b39 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 52188544 61673b2091252f8941434c39dd533849 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 3633974 6dcd7d0f6ebacd6963adca1c8d67f3a3 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 53128 3ebf0f6649342d5d0eed34da1b8f8b66 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 198222 888abaea2f5d82483409fb0559ab39f8 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_hppa.deb Size/MD5 checksum: 64392 889538b4f36141d736e6bd8255335265 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 10876072 4798da0589b3eda451189f4ee837daa6 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 50636714 7cf5cf91aa41e12962a9b54cfcbc1f95 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 3619896 8b82595f5dd7722df603604522e8fe77 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 47684 442980b3b4af19981d3cefeab4c7be16 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 190362 aeebbabe4cd629c53e0b4457909672c5 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_i386.deb Size/MD5 checksum: 57716 8a4994ffe091c7856528272c7819677e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 16500728 09d49b0442fd424b4aed1b19cf03c17f http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 51672952 ca7a8a748836b8c7e18f5477fa0ccbd4 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 3674838 4c056de3d838a4b6fd798534134fda83 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 59168 88f4bd4ab03c5114cf877b20d256b136 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 204384 f81bf3f095059110035b527083d21513 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_ia64.deb Size/MD5 checksum: 73782 0e0446628f65f1971d610f8ea5eb55a8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 11547504 cb91bfc37e93e7ad7758d8bc88f1ea3b http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 53010312 c000535f52bf6cf0882c24ffb1aa8f99 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 3629758 404d00290b34e0dccbe535486d15d2ef http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 48860 beeb138cb257900367f1a3515663a9bb http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 192122 51ba670ff72d85f5d268e76938ef3e1a http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mips.deb Size/MD5 checksum: 58236 48a92291ff311b4baaa5127ed05fabd2 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 11324984 054ea1a49b85b8ef1c96378a7e374d0d http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 51571486 a8f34224277f5c1ae2a0f61b70d02593 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 3629510 2e916487ac92b5fcf526448f059ba705 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 48698 21fa0e18cf48698b639a42a118f069c4 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 191618 0ea2fb530662a75f87c4900eed37e580 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mipsel.deb Size/MD5 checksum: 58298 7dbf75a88f7a731046b6e030f39fcb2e PowerPC architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 11771646 28848cf3b4daa66182ea2e6b3cc9f923 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 53187512 5c06f5751cf333896cefd8cd716d6ee0 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 3625032 e8da32f365cb833338a5f02ef1bd3854 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 49320 a51244d6bcad918b35045910efd3ee41 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 192360 22505d425d81e8c9cfc080e28385bf17 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_powerpc.deb Size/MD5 checksum: 60046 f5537d555c091d6b21ed376cb285d618 IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 12798692 f6c0fdd711173ad917b5ad6a519c39ef http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 52048216 a1b5a704d041b321d381192cc36ec16b http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 3628374 004598a21c81cd2d7c246eae41f8083a http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 52374 ef69f9ba492cc13cb34e7e5ffba9ffd6 http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 197070 0910dede4859dc42492de82b278af585 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_s390.deb Size/MD5 checksum: 61830 4c3b615eeda0bd9ce6563a9c147047c7 Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 11083210 15ca31506f5fc73c238fec8c744db051 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 50536416 5da4451d0af12a06d57de7910393b93e http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 3618046 3e22307aa970e88dc69f9e459ee8993e http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 47856 81b806db6c0fe39763603af6758bc76d http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 189880 bf1d05dfd15fbb91a5f4aa369f3802f1 http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_sparc.deb Size/MD5 checksum: 57790 cb8c6d9edd31af176b32dfcf5a6a88a5 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGcCpNXm3vHE4uyloRAly4AJ98IF87LBnkxez/YsOp13kH0mTESwCfZqIk X6BZRBrnMJzMDbQK9rdXoec= =rmeM -----END PGP SIGNATURE-----