CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.5%
Alexander Reichle-Schmehl uploaded new packages for iceweasel which fixed the
following security problems:
CVE-2010-3174
CVE-2010-3176
Multiple unspecified vulnerabilities in the browser engine in
Iceweasel allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.
CVE-2010-3177
Multiple cross-site scripting (XSS) vulnerabilities in the
Gopher parser in Iceweasel allow remote attackers to inject
arbitrary web script or HTML via a crafted name of a (1) file
or (2) directory on a Gopher server.
CVE-2010-3178
Iceweasel does not properly handle certain modal calls made by
javascript: URLs in circumstances related to opening a new
window and performing cross-domain navigation, which allows
remote attackers to bypass the Same Origin Policy via a
crafted HTML document.
CVE-2010-3179
Stack-based buffer overflow in the text-rendering
functionality in Iceweasel allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption
and application crash) via a long argument to the
document.write method.
CVE-2010-3180
Use-after-free vulnerability in the nsBarProp function in
Iceweasel allows remote attackers to execute arbitrary code by
accessing the locationbar property of a closed window.
CVE-2010-3183
The LookupGetterOrSetter function in Iceweasel does not
properly support window.lookupGetter function calls that
lack arguments, which allows remote attackers to execute
arbitrary code or cause a denial of service (incorrect pointer
dereference and application crash) via a crafted HTML
document.
For the lenny-backports distribution the problems have been fixed in
version 3.5.15-1~bpo50+1.
Upgrade instructions
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 5 | arm | xulrunner-1.9 | < 1.9.0.19-6 | xulrunner-1.9_1.9.0.19-6_arm.deb |
Debian | 5 | mipsel | libmozjs-dev | < 1.9.0.19-6 | libmozjs-dev_1.9.0.19-6_mipsel.deb |
Debian | 5 | armel | xulrunner-1.9 | < 1.9.0.19-6 | xulrunner-1.9_1.9.0.19-6_armel.deb |
Debian | 5 | mips | xulrunner-1.9-gnome-support | < 1.9.0.19-6 | xulrunner-1.9-gnome-support_1.9.0.19-6_mips.deb |
Debian | 5 | mipsel | xulrunner-1.9-dbg | < 1.9.0.19-6 | xulrunner-1.9-dbg_1.9.0.19-6_mipsel.deb |
Debian | 5 | hppa | python-xpcom | < 1.9.0.19-6 | python-xpcom_1.9.0.19-6_hppa.deb |
Debian | 5 | sparc | xulrunner-dev | < 1.9.0.19-6 | xulrunner-dev_1.9.0.19-6_sparc.deb |
Debian | 5 | hppa | libmozjs1d | < 1.9.0.19-6 | libmozjs1d_1.9.0.19-6_hppa.deb |
Debian | 5 | arm | libmozjs-dev | < 1.9.0.19-6 | libmozjs-dev_1.9.0.19-6_arm.deb |
Debian | 5 | hppa | spidermonkey-bin | < 1.9.0.19-6 | spidermonkey-bin_1.9.0.19-6_hppa.deb |