Debian DSA-2406-1 : icedove - several vulnerabilities
Critical Nessus Plugin ID 57879
The remote Debian host is missing a security-related update.
Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base. - CVE-2011-3670 Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. - CVE-2012-0442 Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code. - CVE-2012-0444 Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. - CVE-2012-0449 Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document.
Upgrade the icedove packages. For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze7.