Bug#505563: marked as done (Mozilla Thunderbird Multiple Vulnerabilities)

Sat, 03 Jan 2009 11:43:26 -0800 

Your message dated Sat, 03 Jan 2009 19:32:13 +0000
with message-id <e1ljceh-0007bp...@ries.debian.org>
and subject line Bug#505563: fixed in icedove 2.0.0.19-1
has caused the Debian Bug report #505563,
regarding Mozilla Thunderbird Multiple Vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
505563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505563
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: icedove
Severity: critical
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for Thunderbird:

SA32715[1]

Description:
Some vulnerabilities have been reported in Mozilla Thunderbird, which
can be exploited by malicious people to disclose sensitive information,
bypass certain security restrictions, or compromise a user's system.

For more information:
SA32693

The vulnerabilities are reported in versions prior to 2.0.0.18.

Solution:
The vulnerabilities will be fixed in the upcoming 2.0.0.18 version.

The vendor recommends disabling JavaScript support.

Original Advisory:
http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
http://www.mozilla.org/security/announce/2008/mfsa2008-58.html

Other References:
SA32693[2]

CVE reference:
CVE-2008-5012
CVE-2008-5014
CVE-2008-5017
CVE-2008-5018
CVE-2008-5021
CVE-2008-5022
CVE-2008-5024

If you fix the vulnerability please also make sure to include the the
CVE id in the changelog entry.

[1]http://secunia.com/advisories/32715/
[2]http://secunia.com/advisories/32693/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkcQtAACgkQNxpp46476ao5OwCeNCFW4/5lurndSIqfTBQtkC4i
u6EAn0NS5yuBbdPRyHFDYxVdjEPKSIZI
=41lt
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: icedove
Source-Version: 2.0.0.19-1

We believe that the bug you reported is fixed in the latest version of
icedove, which is due to be installed in the Debian FTP archive:

icedove-dbg_2.0.0.19-1_amd64.deb
  to pool/main/i/icedove/icedove-dbg_2.0.0.19-1_amd64.deb
icedove-dev_2.0.0.19-1_amd64.deb
  to pool/main/i/icedove/icedove-dev_2.0.0.19-1_amd64.deb
icedove-gnome-support_2.0.0.19-1_amd64.deb
  to pool/main/i/icedove/icedove-gnome-support_2.0.0.19-1_amd64.deb
icedove_2.0.0.19-1.diff.gz
  to pool/main/i/icedove/icedove_2.0.0.19-1.diff.gz
icedove_2.0.0.19-1.dsc
  to pool/main/i/icedove/icedove_2.0.0.19-1.dsc
icedove_2.0.0.19-1_amd64.deb
  to pool/main/i/icedove/icedove_2.0.0.19-1_amd64.deb
icedove_2.0.0.19.orig.tar.gz
  to pool/main/i/icedove/icedove_2.0.0.19.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Sack <a...@debian.org> (supplier of updated icedove package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 03 Jan 2009 16:27:42 +0100
Source: icedove
Binary: icedove icedove-gnome-support icedove-dbg icedove-dev
Architecture: source amd64
Version: 2.0.0.19-1
Distribution: unstable
Urgency: medium
Maintainer: Ubuntu Mozilla Team <ubuntu-mozillat...@lists.ubuntu.com>
Changed-By: Alexander Sack <a...@debian.org>
Description: 
 icedove    - free/unbranded thunderbird mail/news/rss clone
 icedove-dbg - Debug Symbols for Icedove
 icedove-dev - Development files for Icedove
 icedove-gnome-support - Support for Gnome in Icedove
Closes: 505563
Changes: 
 icedove (2.0.0.19-1) unstable; urgency=medium
 .
   * New upstream security/stability update (v.2.0.0.18/2.0.0.19) Closes: 505563
     2.0.0.18:
     * MFSA 2008-48 aka CVE-2008-5012 - Image stealing via canvas and HTTP
       redirect
     * MFSA 2008-50 aka CVE-2008-5014 - Crash and remote code execution via
       __proto__ tampering
     * MFSA 2008-52 aka CVE-2008-5017 - Crashes with evidence of memory
       corruption (rv:1.9.0.4/1.8.1.18); Browser engine crash in "Firefox 2
       and 3"
     * MFSA 2008-52 aka CVE-2008-5018 - Crashes with evidence of memory
       corruption (rv:1.9.0.4/1.8.1.18); JavaScript engine crash - "Firefox 2
       and 3"
     * MFSA 2008-55 aka CVE-2008-5021 - Crash and remote code execution in
       nsFrameManager
     * MFSA 2008-56 aka CVE-2008-5022 - nsXMLHttpRequest::NotifyEventListeners()
       same-origin violation
     * MFSA 2008-58 aka CVE-2008-5024 - Parsing error in E4X default namespace
     * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and
       .textContent in mail
     2.0.0.19:
     * MFSA 2008-60 aka CVE-2008-5500 - Crashes with evidence of memory
       corruption (rv:1.9.0.5/1.8.1.19); Layout engine crashes - Firefox 2 and 3
     * MFSA 2008-61 aka CVE-2008-5503 - Information stealing via
       loadBindingDocument
     * MFSA 2008-64 aka CVE-2008-5506 - XMLHttpRequest 302 response disclosure
     * MFSA 2008-65 aka CVE-2008-5507 - Cross-domain data theft via script
       redirect error message
     * MFSA 2008-66 aka CVE-2008-5508 - Errors parsing URLs with leading
       whitespace and control characters
     * MFSA 2008-67 aka CVE-2008-5510 - Escaped null characters ignored by CSS
       parser
   * apply Maintainers, Uploaders changes done in 2.0.0.17 upload to
     debian/control
     - update debian/control
   * adjust/refresh patches to changed upstream code
     - update debian/patches/moz-app-name-as-mail-binary-name
     - update debian/patches/autoconf2.13-rerun
Checksums-Sha1: 
 419f7a0f4e47536794be8514a8a0b691d4274b37 2340 icedove_2.0.0.19-1.dsc
 a28f775f4e11dedbfd3d3cdf93e79fee06f1fb16 37062022 icedove_2.0.0.19.orig.tar.gz
 1c0fc16666fff42e01db400d58959faf6820aa55 119251 icedove_2.0.0.19-1.diff.gz
 29f16a2efdc32cd92cb06bd094c810381cfed6ca 12361488 icedove_2.0.0.19-1_amd64.deb
 6178413aad47027a943cfdce6b1d66eee5e3b2b8 58426 
icedove-gnome-support_2.0.0.19-1_amd64.deb
 e3bda756bea09883edd20c15c144845fdf9ae638 57564056 
icedove-dbg_2.0.0.19-1_amd64.deb
 7d119e0bfdb4bd32ecb43aa7cad71546c0af3b07 3918856 
icedove-dev_2.0.0.19-1_amd64.deb
Checksums-Sha256: 
 246c12a25684faa1a3e89dd7b68fa6a1bf2e96a08b78c0b9e6aa2acc8d36969e 2340 
icedove_2.0.0.19-1.dsc
 d4e60f3a54b4fa45a5c619e6a8cef5594dc0c9e6101337673c5d1c7ee097db16 37062022 
icedove_2.0.0.19.orig.tar.gz
 decb34e89c0876fe30f185f6f74f8a72159cdec065a8f602f45360f393182397 119251 
icedove_2.0.0.19-1.diff.gz
 4a73b2214c3dd1ffdedd5d344e68af741d99e63986428e4f15f5998be97df949 12361488 
icedove_2.0.0.19-1_amd64.deb
 c8e4b18301caee16bb40db61b1a8aeea37c55c4ddb1fa70abde9a02c60a9519c 58426 
icedove-gnome-support_2.0.0.19-1_amd64.deb
 9df766be0c86c205a7bb5e955918b0ff64b5715b01d84a78fd836ef29dab645e 57564056 
icedove-dbg_2.0.0.19-1_amd64.deb
 925866b917e1ff771a0b2a3234baf9c901b95a1c932c30f17115e3673c07c535 3918856 
icedove-dev_2.0.0.19-1_amd64.deb
Files: 
 6bb9241bd524b24d069552371b1b8e09 2340 mail optional icedove_2.0.0.19-1.dsc
 2e3a2844a7bfffc04ab67e35a409a360 37062022 mail optional 
icedove_2.0.0.19.orig.tar.gz
 debd6b1b5354cf85f0756a52fd738cdd 119251 mail optional 
icedove_2.0.0.19-1.diff.gz
 29811e3e145f68a0d5c3920a341f07ed 12361488 mail optional 
icedove_2.0.0.19-1_amd64.deb
 051b739b92a4674f5deb4558434d7747 58426 mail optional 
icedove-gnome-support_2.0.0.19-1_amd64.deb
 86a11c566e50c40f0699cc59760c2c12 57564056 mail optional 
icedove-dbg_2.0.0.19-1_amd64.deb
 0285ad2a49aad6531808050e2ccd387d 3918856 mail optional 
icedove-dev_2.0.0.19-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJJX7P4AAoJEKBE/gcUDGZkbsAP/AqsqdDOn44Mtrb0HIawslp5
LacR5JSJgCfHPz+O1EslvonjxCeupSyyGlJl+fbrcOzm6lhYwHTk7yfRgrabYnqP
mBrJE38hgArXqG+kFC4UV+plv6BKbKj1pA/glhJkp+hMBx9cZ7LFeenba/6Nynnm
hlb7k++JSx9sZljttu1tnOnglgELSwG7D6gkMLoDV4S0c5of4rbnyQBlhHoEsJFN
mUwV8LwvsBVTbmDdqRLESU9nDk+tKeMO2a39ylm8GUmfDQDrkgPdNyQpvmdXcCcp
3PMH/0A5P6elW12VEwkfEDzGyea/H/zKSU0mINsdqoCBRbhR6mt96eqIjWwVZh2l
Sxs9gehNmYab+Q+wNcZTFWhQnFUdqsLX0XUfre7iJAWeYaeVuLgQkADgMTHrp7g7
VRRDZwdfAlURzGECBKSbuHAV+fzk3blS+StYHyDZWTgU2zw6tewaOz61qDl8Jyg8
6htyqeHjVwneLgRI7BRNM5Y7JR/nrS2p62IbW73hOnyWEa8ph1dR6lS7rdZ6+vCn
qLeSj54QhryUmdb1j9zWpV3OF0xH9jd7Gc1OAjYu7EbhJKnC3O1At7+0eLQrsptf
dDSIAjToDvewB8fckaG+rAUWk+9EPE7NJMpK7oxPyaqB1NqQA5pf1+ce1QTTRWqP
U7vPnCUHByCon2KvrfGj
=NyRe
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to