CVE-2011-2605

Name	CVE-2011-2605
Description	CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService.cpp in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allows remote attackers to bypass intended access restrictions via a string containing a \n (newline) character, which is not properly handled in a JavaScript "document.cookie =" expression, a different vulnerability than CVE-2011-2374.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2268-1, DSA-2269-1, DSA-2273-3

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
iceape	source	lenny	(not affected)
iceape	source	squeeze	2.0.11-6		DSA-2269-1
iceape	source	(unstable)	2.0.14-3
icedove	source	lenny	(unfixed)	end-of-life
icedove	source	squeeze	3.0.11-1+squeeze3		DSA-2273-3
icedove	source	(unstable)	3.1.11-1
iceweasel	source	lenny	(not affected)
iceweasel	source	squeeze	3.5.16-8		DSA-2268-1
iceweasel	source	(unstable)	3.5.19-3
xulrunner	source	lenny	1.9.0.19-12
xulrunner	source	(unstable)	(unfixed)	unimportant

Notes

[lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg)
[lenny] - iceape <not-affected> (Only a stub package)
xulrunner in wheezy is not covered by security support