Synopsis
The remote Debian host is missing a security-related update.
Description
Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird.
- CVE-2011-3647 The JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted website that leverages certain unwrapping behavior.
- CVE-2011-3648 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
- CVE-2011-3650 Iceweasel does not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.
Solution
Upgrade the icedove packages.
For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze6.