Package: iceweasel
Version: 38.1.0esr-3
Severity: grave
Tags: upstream security
Justification: user security hole
There are recent reports as of last week on wired magazine homepage under
"technology" and "recent hacks while away at defcon" that exploit firefox in
major ways.Both windows and Linux users were targeted and information was
retrived that should not have been able to be retrieved.Running any less than
the experimental build leaves people vulnerable to this issue. More details are
on the wired website. Reccomend immeadiate update to experimental build version
to fix this. I cant see why depends would break but this needs some testing to
see if anything would break with the update.
In the meanwhile users can always install firefox latest in a non-root location
(home folder) and run it from there.This should in theory work as the debian
depends for experimental version are a non issue.I believe the file is pre-
compiled binary as released. Anything designed for ubuntu werewolf or less
should run just dandy on stretch.
As we are open source, we need to patch/update and diseminate(backport) things
like this (to mainstream linux community [Fedora/RHEL/Ubuntu/project
maintainers]) as they are discovered.We dont have time for major exploits to
hit Linux and go unreported.
I believe this is an upstream bug. As the exploit has already leaked, Private
BTS reporting is moot point.I only discovered the issue as an already "in the
wild" bug.Did not discover the exploit myself.
-- Package-specific info:
-- Extensions information
Name: Advanced Cookie Manager
Location: ${PROFILE_EXTENSIONS}/cookie...@jayapal.com
Status: user-disabled
Name: BugMeNot Plugin
Location: ${PROFILE_EXTENSIONS}/{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
Status: enabled
Name: Default theme
Location:
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Disable Anti-Adblock
Location: ${PROFILE_EXTENSIONS}/{d49a148e-817e-4025-bee3-5d541376de3b}.xpi
Status: enabled
Name: Disable DHE
Location: ${PROFILE_EXTENSIONS}/5aa55fd5-6e61-4896-b186-fdc6f298e...@mozilla.xpi
Status: enabled
Name: Disconnect Search
Location: ${PROFILE_EXTENSIONS}/sea...@disconnect.me.xpi
Status: enabled
Name: Easy Youtube Video Downloader Express
Location: ${PROFILE_EXTENSIONS}/{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi
Status: enabled
Name: Foobar
Location: ${PROFILE_EXTENSIONS}/foo...@unnecessarilylongurl.com.xpi
Status: enabled
Name: Greasemonkey
Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywh...@eff.org
Status: enabled
Name: Long URL Please
Location: ${PROFILE_EXTENSIONS}/longurlple...@darragh.curran.xpi
Status: enabled
Name: NoSquint
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/nosqu...@urandom.ca
Package: xul-ext-nosquint
Status: enabled
Name: PassIFox
Location: ${PROFILE_EXTENSIONS}/passi...@hanhuy.com.xpi
Status: enabled
Name: Perspectives
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/perspecti...@cmu.edu
Package: xul-ext-perspectives
Status: enabled
Name: Readability
Location: ${PROFILE_EXTENSIONS}/readabil...@readability.com.xpi
Status: enabled
Name: Report Pedophile
Location: ${PROFILE_EXTENSIONS}/reportpedoph...@internetpredatortracker.com
Status: enabled
Name: uBlock
Location: ${PROFILE_EXTENSIONS}/{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi
Status: enabled
Name: URL Fixer
Location: ${PROFILE_EXTENSIONS}/{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi
Status: enabled
Name: User Agent Overrider
Location: ${PROFILE_EXTENSIONS}/useragentoverri...@qixinglu.com.xpi
Status: enabled
Name: WOT
Location: ${PROFILE_EXTENSIONS}/{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
Status: enabled
Name: YouTube High Definition
Location: ${PROFILE_EXTENSIONS}/{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: disabled
Name: Skype Buttons for Kopete
Location: /usr/lib/mozilla/plugins/skypebuttons.so
Package: kopete
Status: enabled
-- Addons package information
ii gnome-shell 3.16.3-1 amd64 graphical shell for the GNOME des
ii iceweasel 38.1.0esr-3 amd64 Web browser based on Firefox
ii kopete 4:4.14.1-2 amd64 instant messaging and chat applic
ii xul-ext-nosqui 2.1.9-3 all control the size of text of websi
ii xul-ext-perspe 4.6.2-1 all verify HTTPS sites through notary
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.5.1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.29-1
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-19
ii libcairo2 1.14.2-2
ii libdbus-1-3 1.8.20-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.2.1-3
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.1.1-14
ii libgdk-pixbuf2.0-0 2.31.5-1
ii libglib2.0-0 2.44.1-1.1
ii libgtk2.0-0 2.24.28-1
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.8-2
ii libnss3 2:3.19.2-1
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.11.1-1
ii libstartup-notification0 0.12-4
ii libstdc++6 5.1.1-14
ii libvpx2 1.4.0-4
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.10-2
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1:1.4.5-dmo1
ii gstreamer1.0-plugins-good 1.4.5-2+b1
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.13.2+dfsg-2
pn mozplugger <none>
-- no debconf information
