Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) CVE-2008-5504 It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62) CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) CVE-2008-5510 Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67) CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) CVE-2008-5513 moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69) For the stable distribution (etch) these problems have been fixed in version 2.0.0.19-0etch1. For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner. We recommend that you upgrade your iceweasel package.
Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:
Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60)
Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61)
It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62)
Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64)
Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65)
Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66)
Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67)
It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68)
It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68)
moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69)
For the stable distribution (etch) these problems have been fixed in version 2.0.0.19-0etch4.
For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner.
We recommend that you upgrade your iceweasel package.
MD5 checksums of the listed files are available in the original advisory.