Several remote vulnerabilities have been discovered in the Icedove mail
client, an unbranded version of the Thunderbird client. The Common
Vulnerabilities and Exposures project identifies the following problems:
- CVE-2008-1233
moz_bug_r_a4 discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
- CVE-2008-1234
moz_bug_r_a4 discovered that insecure handling of event
handlers could lead to cross-site scripting.
- CVE-2008-1235
Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered
that incorrect principal handling could lead to cross-site
scripting and the execution of arbitrary code.
- CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
- CVE-2008-1237
georgi, tgirmann and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1.
We recommend that you upgrade your icedove packages.