copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0639 - [Debian] iceweasel: Multiple vulnerabilities

Date: 10 March 2016
References: ASB-2016.0025  ESB-2016.0633  ESB-2016.0635  ESB-2016.0673  ESB-2016.0707  ESB-2016.0725  ESB-2016.0728  ESB-2016.0767  ESB-2016.0770  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0639
                         iceweasel security update
                               10 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iceweasel
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Overwrite Arbitrary Files       -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2802 CVE-2016-2801 CVE-2016-2800
                   CVE-2016-2799 CVE-2016-2798 CVE-2016-2797
                   CVE-2016-2796 CVE-2016-2795 CVE-2016-2794
                   CVE-2016-2793 CVE-2016-2792 CVE-2016-2791
                   CVE-2016-2790 CVE-2016-1977 CVE-2016-1974
                   CVE-2016-1966 CVE-2016-1965 CVE-2016-1964
                   CVE-2016-1962 CVE-2016-1961 CVE-2016-1960
                   CVE-2016-1958 CVE-2016-1957 CVE-2016-1954
                   CVE-2016-1952 CVE-2016-1950 

Reference:         ASB-2016.0025
                   ESB-2016.0635
                   ESB-2016.0633

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3510

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3510-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 09, 2016                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : iceweasel
CVE ID         : CVE-2016-1950 CVE-2016-1952 CVE-2016-1954 CVE-2016-1957 
                 CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962
                 CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1974
                 CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792
                 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
                 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
                 CVE-2016-2801 CVE-2016-2802

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
buffer overflows, use-after-frees and other implementation errors may
lead to the execution of arbitrary code, denial of service, address bar
spoofing and overwriting local files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 38.7.0esr-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 38.7.0esr-1~deb8u1.

For the unstable distribution (sid), Debian is in the process of moving
back towards using the Firefox name. These problems will soon be fixed
in the firefox-esr source package.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW4GozAAoJEBDCk7bDfE421D4P/2Cd9Vk6il233y2HFrgdhrn1
HgZmrE8pVXVLTGbK7o1LpsYPU/L0XOKW1utC+7orBQYAB0xC5vyIWFevXTC1AHyk
AFFuiuVyqkpOUUXPJr2++Y3Sao6bAmbAa6SyKQbEN477D4zTaU7IdFtsSHSEKXa2
PWQIa1rTmFFkXnWjyLa6sbVaOOSPsdnawRchUXJf6ac1YlGeAzRqDZIDpmYk+pvV
zytL7c/NYKF3CoGvF6PwiGFfoeXjNW9qaRa15HIfWT86kGxz6OAZnXFq1VY4fscz
v4z7Q8btSLms9IKIloWEZhPX1Ik7Bl1noX+e0hE/+r8iVRfRntL1PotozVattc1q
8wsaIKNIYpRykIzy5ZkSLRZzpOoPNgzHPbbcOXckobD+3ArOrcULZtfzn8qH9yFT
zU18HMyW0+4h/jx+J14g6+lzIg+XLHghg+30e7bs6JJXa5z8xtro6ahugu/aPzIs
AbMaPSL/Gk7eEEBZymCyc2n83Ns26so351d0zkHhuqO2Q097IPBfjf+Qk6rGjz+t
jeOvyL8VaXN7VnKJyyeQbmS2MquNV4cia06CQSiCoeXolNp4ZmWt+ENIL2YQ9xnU
s4vrfzF2xSLmB4AHLILJCE6xQJZim4Sm2jr+jC9OQS6w1FmEFu81jNttnIy8wr6f
iSPnc3vqzHOL9ejU5u6g
=pcAG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVuCzo36ZAP0PgtI9AQJidBAAvhOIFMYVoqJ1CrQ2khuXVAZ9++jOQeLl
5uLsbreVVaMAq7X5whzg+gF5JiyZTmeFRAE9wrPXM+9TnWdqNrQd2/PI6FLLDFFG
oZ02ZnGfopHwo5bU2YmQSvZJFtGRfLX2aZLy8/WcN9ZHUxIQnksq/nDdgVrk8hzy
PCmMQ46TTKHio7WpIILHux3DezMCPLO3gfnYyp00VyaJtQM9VHfz8EGV8+JlAF84
c4FltPhjYvXPZx8u/3KDucfIXBPUM4/C/HdNPlVLHqg8FoEn0xZTxJMv1Vd74Rhj
3hGQZrx3P7PVtss+/ZfWzwMClR/+YS1ddyY14FcbztSjFcGPCYrzAvaMk7g4jOM+
N1dfwl/7dbjtr0XkQwBKJiArubLF2eu4NB/ecWSchmHZKYb2iOeUi0ysDQP3Dyct
3+61gRbdtq9eOqgnPuPr3b0o4hUrYoQ50wz4h8ZYnyWQmfKG1EDLh+tqI92lhK6J
K/UG9dONHDPcul3SLtfAAG6/qPE/iF7M5hQQOFCMBPiJmj2Z4qs8NFRBXG7hw6Me
DedUlevJZeKOtqfQGDYGyb+Ab1OMaF3gxSjVmRnkPSpst/2t7nbr27FnwYGXevR5
r2O8/5ZBf1UIyPhSaa2bcv4PL1sow2UnTgSS7q79EPiZPhSRZErAfvq9DqAteBK5
DaoepgJGj50=
=/Tlr
-----END PGP SIGNATURE-----