Test ID:	1.3.6.1.4.1.25623.1.0.71490
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-2514-1)
Summary:	The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-2514-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'iceweasel' package(s) announced via the DSA-2514-1 advisory. Vulnerability Insight: Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. CVE-2012-1948 Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey identified several memory safety problems that may lead to the execution of arbitrary code. CVE-2012-1950 Mario Gomes and Code Audit Labs discovered that it is possible to force Iceweasel to display the URL of the previous entered site through drag and drop actions to the address bar. This can be abused to perform phishing attacks. CVE-2012-1954 Abhishek Arya discovered a use-after-free problem in nsDocument::AdoptNode that may lead to the execution of arbitrary code. CVE-2012-1966 moz_bug_r_a4 discovered that it is possible to perform cross-site scripting attacks through the context menu when using data: URLs. CVE-2012-1967 moz_bug_r_a4 discovered that in certain cases, javascript: URLs can be executed so that scripts can escape the JavaScript sandbox and run with elevated privileges. Note: We'd like to advise users of Iceweasel's 3.5 branch in Debian stable to consider to upgrade to the Iceweasel 10.0 ESR (Extended Support Release) which is now available in Debian Backports. Although Debian will continue to support Iceweasel 3.5 in stable with security updates, this can only be done on a best effort basis as upstream provides no such support anymore. On top of that, the 10.0 branch adds proactive security features to the browser. For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-17. For the unstable distribution (sid), this problem has been fixed in version 10.0.6esr-1. We recommend that you upgrade your iceweasel packages. Affected Software/OS: 'iceweasel' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-1948 BugTraq ID: 54580 http://www.securityfocus.com/bid/54580 Debian Security Information: DSA-2514 (Google Search) http://www.debian.org/security/2012/dsa-2514 Debian Security Information: DSA-2528 (Google Search) http://www.debian.org/security/2012/dsa-2528 http://osvdb.org/84007 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16744 RedHat Security Advisories: RHSA-2012:1088 http://rhn.redhat.com/errata/RHSA-2012-1088.html http://www.securitytracker.com/id?1027256 http://www.securitytracker.com/id?1027257 http://www.securitytracker.com/id?1027258 http://secunia.com/advisories/49963 http://secunia.com/advisories/49964 http://secunia.com/advisories/49965 http://secunia.com/advisories/49968 http://secunia.com/advisories/49972 http://secunia.com/advisories/49977 http://secunia.com/advisories/49979 http://secunia.com/advisories/49992 http://secunia.com/advisories/49993 http://secunia.com/advisories/49994 SuSE Security Announcement: SUSE-SU-2012:0895 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html SuSE Security Announcement: SUSE-SU-2012:0896 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html SuSE Security Announcement: openSUSE-SU-2012:0899 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html SuSE Security Announcement: openSUSE-SU-2012:0917 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html http://www.ubuntu.com/usn/USN-1509-1 http://www.ubuntu.com/usn/USN-1509-2 http://www.ubuntu.com/usn/USN-1510-1 Common Vulnerability Exposure (CVE) ID: CVE-2012-1950 http://osvdb.org/84008 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16970 Common Vulnerability Exposure (CVE) ID: CVE-2012-1954 BugTraq ID: 54578 http://www.securityfocus.com/bid/54578 http://osvdb.org/83995 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16984 Common Vulnerability Exposure (CVE) ID: CVE-2012-1966 BugTraq ID: 54577 http://www.securityfocus.com/bid/54577 http://osvdb.org/84009 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17037 Common Vulnerability Exposure (CVE) ID: CVE-2012-1967 BugTraq ID: 54573 http://www.securityfocus.com/bid/54573 http://osvdb.org/84013 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17025
Copyright	Copyright (C) 2012 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.