Debian DSA-2296-1 : iceweasel - several vulnerabilities

Critical Nessus Plugin ID 55889

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.

- CVE-2011-0084 'regenrecht' discovered that incorrect pointer handling in the SVG processing code could lead to the execution of arbitrary code.

- CVE-2011-2378 'regenrecht' discovered that incorrect memory management in DOM processing could lead to the execution of arbitrary code.

- CVE-2011-2981 'moz_bug_r_a_4' discovered a Chrome privilege escalation vulnerability in the event handler code.

- CVE-2011-2982 Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory corruption bugs, which may lead to the execution of arbitrary code.

- CVE-2011-2983 'shutdown' discovered an information leak in the handling of RegExp.input.

- CVE-2011-2984 'moz_bug_r_a4' discovered a Chrome privilege escalation vulnerability.

Solution

Upgrade the iceweasel packages.

For the oldstable distribution (lenny), this problem has been fixed in version 1.9.0.19-13 of the xulrunner source package.

For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-9.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-0084

https://security-tracker.debian.org/tracker/CVE-2011-2378

https://security-tracker.debian.org/tracker/CVE-2011-2981

https://security-tracker.debian.org/tracker/CVE-2011-2982

https://security-tracker.debian.org/tracker/CVE-2011-2983

https://security-tracker.debian.org/tracker/CVE-2011-2984

https://packages.debian.org/source/squeeze/iceweasel

https://www.debian.org/security/2011/dsa-2296

Plugin Details

Severity: Critical

ID: 55889

File Name: debian_DSA-2296.nasl

Version: 1.15

Type: local

Agent: unix

Published: 2011/08/18

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:iceweasel, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/08/17

Reference Information

CVE: CVE-2011-0084, CVE-2011-2378, CVE-2011-2981, CVE-2011-2982, CVE-2011-2983, CVE-2011-2984

BID: 49166

DSA: 2296