Debian Local Security Checks : Debian: Security Advisory (DSA-3345-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.703345

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-3345-1)

Summary: The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-3345-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-3345-1 advisory.

Vulnerability Insight:
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-4497

Jean-Max Reymond and Ucha Gobejishvili discovered a use-after-free vulnerability which occurs when resizing of a canvas element is triggered in concert with style changes. A web page containing malicious content can cause Iceweasel to crash, or potentially, execute arbitrary code with the privileges of the user running Iceweasel.

CVE-2015-4498

Bas Venis reported a flaw in the handling of add-ons installation. A remote attacker can take advantage of this flaw to bypass the add-on installation prompt and trick a user into installing an add-on from a malicious source.

For the oldstable distribution (wheezy), these problems have been fixed in version 38.2.1esr-1~
deb7u1.

For the stable distribution (jessie), these problems have been fixed in version 38.2.1esr-1~
deb8u1.

For the unstable distribution (sid), these problems have been fixed in version 38.2.1esr-1.

We recommend that you upgrade your iceweasel packages.

Affected Software/OS:
'iceweasel' package(s) on Debian 7, Debian 8.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-4497
BugTraq ID: 76502
http://www.securityfocus.com/bid/76502
Debian Security Information: DSA-3345 (Google Search)
http://www.debian.org/security/2015/dsa-3345
http://www.zerodayinitiative.com/advisories/ZDI-15-406
RedHat Security Advisories: RHSA-2015:1693
http://rhn.redhat.com/errata/RHSA-2015-1693.html
http://www.securitytracker.com/id/1033397
SuSE Security Announcement: SUSE-SU-2015:1504 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html
SuSE Security Announcement: SUSE-SU-2015:2081 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
SuSE Security Announcement: openSUSE-SU-2015:1492 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html
http://www.ubuntu.com/usn/USN-2723-1
Common Vulnerability Exposure (CVE) ID: CVE-2015-4498
BugTraq ID: 76505
http://www.securityfocus.com/bid/76505
http://www.securitytracker.com/id/1033396

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.703345
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-3345-1)
Summary:	The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-3345-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-3345-1 advisory. Vulnerability Insight: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-4497 Jean-Max Reymond and Ucha Gobejishvili discovered a use-after-free vulnerability which occurs when resizing of a canvas element is triggered in concert with style changes. A web page containing malicious content can cause Iceweasel to crash, or potentially, execute arbitrary code with the privileges of the user running Iceweasel. CVE-2015-4498 Bas Venis reported a flaw in the handling of add-ons installation. A remote attacker can take advantage of this flaw to bypass the add-on installation prompt and trick a user into installing an add-on from a malicious source. For the oldstable distribution (wheezy), these problems have been fixed in version 38.2.1esr-1~ deb7u1. For the stable distribution (jessie), these problems have been fixed in version 38.2.1esr-1~ deb8u1. For the unstable distribution (sid), these problems have been fixed in version 38.2.1esr-1. We recommend that you upgrade your iceweasel packages. Affected Software/OS: 'iceweasel' package(s) on Debian 7, Debian 8. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-4497 BugTraq ID: 76502 http://www.securityfocus.com/bid/76502 Debian Security Information: DSA-3345 (Google Search) http://www.debian.org/security/2015/dsa-3345 http://www.zerodayinitiative.com/advisories/ZDI-15-406 RedHat Security Advisories: RHSA-2015:1693 http://rhn.redhat.com/errata/RHSA-2015-1693.html http://www.securitytracker.com/id/1033397 SuSE Security Announcement: SUSE-SU-2015:1504 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html SuSE Security Announcement: SUSE-SU-2015:2081 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html SuSE Security Announcement: openSUSE-SU-2015:1492 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html http://www.ubuntu.com/usn/USN-2723-1 Common Vulnerability Exposure (CVE) ID: CVE-2015-4498 BugTraq ID: 76505 http://www.securityfocus.com/bid/76505 http://www.securitytracker.com/id/1033396
Copyright	Copyright (C) 2015 Greenbone AG