- -------------------------------------------------------------------------
Debian Security Advisory DSA-2583-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
December 08, 2012                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
                 CVE-2012-5842
Debian Bug     :

Multiple vulnerabilities have been found in Iceweasel, the Debian web browser
based on Mozilla Firefox:

CVE-2012-5829

  Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
  allow remote attackers to execute arbitrary code.

CVE-2012-5842

  Multiple unspecified vulnerabilities in the browser engine could allow remote
  attackers to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code.

CVE-2012-4207

  The HZ-GB-2312 character-set implementation does not properly handle a ~
  (tilde) character in proximity to a chunk delimiter, which allows remote
  attackers to conduct cross-site scripting (XSS) attacks via a crafted
  document.

CVE-2012-4201

  The evalInSandbox implementation uses an incorrect context during the
  handling of JavaScript code that sets the location.href property, which
  allows remote attackers to conduct cross-site scripting (XSS) attacks or read
  arbitrary files by leveraging a sandboxed add-on.

CVE-2012-4216

  Use-after-free vulnerability in the gfxFont::GetFontEntry function allows
  remote attackers to execute arbitrary code or cause a denial of service (heap
  memory corruption) via unspecified vectors.

For the stable distribution (squeeze), these problems have been fixed in
version 3.5.16-20.

For the testing distribution (wheezy), these problems have been fixed in
version 10.0.11esr-1.

For the unstable distribution (sid), these problems have been fixed in
version 10.0.11esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

The CSO perspective on healthcare security and compliance

Posted on 20 May 2013.  |  Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.

Cyber espionage campaign uses professionally-made malware

Posted on 20 May 2013.  |  A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.

Ransomware adds password stealing to its arsenal

Posted on 17 May 2013.  |  Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.

IT security jobs: What's in demand and how to meet it

Posted on 15 May 2013.  |  Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.

Hacking charge stations for electric cars

Posted on 15 May 2013.  |  Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.