Debian DSA-2406-1 : icedove - several vulnerabilities

Critical Nessus Plugin ID 57879

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base.

- CVE-2011-3670 Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages.

- CVE-2012-0442 Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code.

- CVE-2012-0444 Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.

- CVE-2012-0449 Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document.

Solution

Upgrade the icedove packages.

For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze7.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-3670

https://security-tracker.debian.org/tracker/CVE-2012-0442

https://security-tracker.debian.org/tracker/CVE-2012-0444

https://security-tracker.debian.org/tracker/CVE-2012-0449

https://packages.debian.org/source/squeeze/icedove

https://www.debian.org/security/2012/dsa-2406

Plugin Details

Severity: Critical

ID: 57879

File Name: debian_DSA-2406.nasl

Version: 1.10

Type: local

Agent: unix

Published: 2012/02/10

Updated: 2020/03/12

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:icedove, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2012/02/09

Reference Information

CVE: CVE-2011-3670, CVE-2012-0442, CVE-2012-0444, CVE-2012-0449

BID: 51753, 51754, 51756, 51786

DSA: 2406