DescriptionMozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedove (PTS)jessie1:52.3.0-4~deb8u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iceapesourceetch(not affected)
iceapesourcelenny(not affected)
icedovesourceetch(not affected)
icedovesourcelenny(not affected)
iceweaselsourcelenny(not affected)


[etch] - icedove <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
[lenny] - icedove <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
[lenny] - iceweasel <not-affected> (Iceweasel in Lenny links against xulrunner)
[etch] - iceape <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
[lenny] - iceape <not-affected> (dns prefetching implemented in xulrunner 1.9.1)

Search for package or bug name: Reporting problems