CVE-2009-0652

Name	CVE-2009-0652
Description	The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox 3.0.6 and other versions before 3.0.9; Thunderbird before 2.0.0.21; and SeaMonkey before 1.1.15 does not include box-drawing characters, which allows remote attackers to spoof URLs and conduct phishing attacks, as demonstrated by homoglyphs of the / (slash) and ? (question mark) characters in a subdomain of a .cn domain name, a different vulnerability than CVE-2005-0233. NOTE: some third parties claim that 3.0.6 is not affected, but much older versions perhaps are affected.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1797-1, DSA-1830-1
Debian Bugs	535124

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
icedove	source	lenny	2.0.0.22-0lenny1		DSA-1830-1
icedove	source	squeeze	2.0.0.22-0lenny1
icedove	source	(unstable)	2.0.0.22-1			535124
xulrunner	source	etch	(unfixed)	end-of-life
xulrunner	source	lenny	1.9.0.9-0lenny2		DSA-1797-1
xulrunner	source	(unstable)	1.9.0.9-1

Notes

[etch] - xulrunner <end-of-life> (Etch Packages no longer covered by security support)