Säkerhetsbulletin från Debian

DSA-1305-1 icedove -- flera sårbarheter

Rapporterat den:

2007-06-13

Berörda paket:

icedove

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2007-1558, CVE-2007-2867, CVE-2007-2868.

Ytterligare information:

Flera utifrån nåbara sårbarheter har upptäckts i e-postklienten Icedove, en varumärkesfri version av Thunderbird. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

CVE-2007-1558
Gatan Leurent upptäckte en kryptografisk svaghet i APOP-autentiseringen, vilket minskar mängden arbete som behövs för en MITM-attack för att fånga upp lösenord. Uppdateringen framtvingar striktare validering, vilket förhindrar angreppet.
CVE-2007-2867
Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn Wargers och Olli Pettay upptäckte krascher i layoutmotorn, vilka kanske kunde göra det möjligt att exekvera godtycklig kod.
CVE-2007-2868
Brendan Eich, Igor Bukanov, Jesse Ruderman, moz_bug_r_a4 och Wladimir Palant upptäckte krascher i JavaScript-motorn, vilka kanske kunde göra det möjligt att exekvera godtycklig kod.

Det finns inga rättelser för den gamla stabila utgåvan (Sarge). Trots att det kommer att komma ytterligare en runda med säkerhetsuppdateringar för Mozillaprodukter har inte Debian resurser att ytterligare bakåtanpassa rättelser till de gamla Mozillaprodukterna. Du rekommenderas å det bestämdaste att uppgradera till den stabila utgåvan så fort som möjligt.

För den stabila utgåvan (Etch) har dessa problem rättats i version 1.5.0.12.dfsg1-0etch1.

Den instabila utgåvan (Sid) kommer rättas inom kort.

Vi rekommenderar att ni uppgraderar era icedove-paket.

Rättat i:

Debian GNU/Linux 4.0 (etch)

Källkod:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.dsc; http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1.diff.gz; http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1.orig.tar.gz
Arkitekturoberoende komponent:: http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.12.dfsg1-0etch1_all.deb; http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.12.dfsg1-0etch1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_alpha.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_amd64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_arm.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_arm.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_arm.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_arm.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_arm.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_arm.deb
HPPA:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_hppa.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_i386.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_i386.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_i386.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_i386.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_i386.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_ia64.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_ia64.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mips.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mips.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mips.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mips.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mips.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_mipsel.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_powerpc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_s390.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_s390.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_s390.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_s390.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_s390.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.12.dfsg1-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.12.dfsg1-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.12.dfsg1-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.12.dfsg1-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.12.dfsg1-0etch1_sparc.deb; http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.12.dfsg1-0etch1_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.