Debian DSA-2296-1 : iceweasel - several vulnerabilities

critical Nessus Plugin ID 55889

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.

- CVE-2011-0084 'regenrecht' discovered that incorrect pointer handling in the SVG processing code could lead to the execution of arbitrary code.

- CVE-2011-2378 'regenrecht' discovered that incorrect memory management in DOM processing could lead to the execution of arbitrary code.

- CVE-2011-2981 'moz_bug_r_a_4' discovered a Chrome privilege escalation vulnerability in the event handler code.

- CVE-2011-2982 Gary Kwong, Igor Bukanov, Nils and Bob Clary discovered memory corruption bugs, which may lead to the execution of arbitrary code.

- CVE-2011-2983 'shutdown' discovered an information leak in the handling of RegExp.input.

- CVE-2011-2984 'moz_bug_r_a4' discovered a Chrome privilege escalation vulnerability.

Solution

Upgrade the iceweasel packages.

For the oldstable distribution (lenny), this problem has been fixed in version 1.9.0.19-13 of the xulrunner source package.

For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-9.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-0084

https://security-tracker.debian.org/tracker/CVE-2011-2378

https://security-tracker.debian.org/tracker/CVE-2011-2981

https://security-tracker.debian.org/tracker/CVE-2011-2982

https://security-tracker.debian.org/tracker/CVE-2011-2983

https://security-tracker.debian.org/tracker/CVE-2011-2984

https://packages.debian.org/source/squeeze/iceweasel

https://www.debian.org/security/2011/dsa-2296

Plugin Details

Severity: Critical

ID: 55889

File Name: debian_DSA-2296.nasl

Version: 1.17

Type: local

Agent: unix

Published: 8/18/2011

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:5.0, p-cpe:/a:debian:debian_linux:iceweasel

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/17/2011

Reference Information

CVE: CVE-2011-0084, CVE-2011-2378, CVE-2011-2981, CVE-2011-2982, CVE-2011-2983, CVE-2011-2984

BID: 49166

DSA: 2296