Debian DSA-1346-1 : iceape - several vulnerabilities

high Nessus Plugin ID 25854

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the SeaMonkey Internet Suite.
The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites.

- CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page.

The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates.

Solution

Upgrade the iceape packages.

For the stable distribution (etch) these problems have been fixed in version 1.0.10~pre070720-0etch3.

See Also

https://www.debian.org/security/2007/dsa-1346

https://security-tracker.debian.org/tracker/CVE-2007-3844

https://security-tracker.debian.org/tracker/CVE-2007-3845

Plugin Details

Severity: High

ID: 25854

File Name: debian_DSA-1346.nasl

Version: 1.21

Type: local

Agent: unix

Published: 8/13/2007

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:iceape, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/4/2007

Reference Information

CVE: CVE-2007-3844, CVE-2007-3845

DSA: 1346