Debian DSA-1344-1 : iceweasel - several vulnerabilities

high Nessus Plugin ID 25852

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites.

- CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page.

The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates.

Solution

Upgrade the iceweasel packages.

For the stable distribution (etch) these problems have been fixed in version 2.0.0.6-0etch1.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-3844

https://security-tracker.debian.org/tracker/CVE-2007-3845

https://www.debian.org/security/2007/dsa-1344

Plugin Details

Severity: High

ID: 25852

File Name: debian_DSA-1344.nasl

Version: 1.19

Type: local

Agent: unix

Published: 8/13/2007

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:4.0, p-cpe:/a:debian:debian_linux:iceweasel

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/3/2007

Reference Information

CVE: CVE-2007-3844, CVE-2007-3845

DSA: 1344