Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base. CVE-2011-3670Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. CVE-2012-0442Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code. CVE-2012-0444Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. CVE-2012-0449Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document.

For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze7. We recommend that you upgrade your icedove packages.

Icedove is an unbranded Thunderbird mail client suitable for free distribution. It supports different mail accounts (POP, IMAP, Gmail), has an integrated learning Spam filter, and offers easy organization of mails with tagging and virtual folders. Also, more features can be added by installing extensions.

icedove on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2012/dsa-2406.html

---

Updated on 2015-03-25