Version in base suite: 3.0.6-1
Version in overlay suite: (not present)

Base version: iceweasel_3.0.6-1
Target version: iceweasel_3.0.6-3
Base file: /org/ftp.debian.org/ftp/pool/main/i/iceweasel/iceweasel_3.0.6-1.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/iceweasel_3.0.6-3.dsc

 browser/components/feeds/src/FeedWriter.js   |    4 ++++
 browser/components/search/nsSearchService.js |   12 +++++++++++-
 iceweasel-3.0.6/debian/changelog             |   12 ++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff -u iceweasel-3.0.6/debian/changelog iceweasel-3.0.6/debian/changelog
--- iceweasel-3.0.6/debian/changelog
+++ iceweasel-3.0.6/debian/changelog
@@ -1,3 +1,15 @@
+iceweasel (3.0.6-3) stable-security; urgency=high
+
+  * Fixes mfsa-2009-51, also known as CVE-2009-3079.
+
+ -- Mike Hommey <glandium@debian.org>  Thu, 10 Sep 2009 10:30:15 +0200
+
+iceweasel (3.0.6-2) stable-security; urgency=low
+
+  * Fixes mfsa-2009-20, also known as CVE-2009-1310.
+
+ -- Mike Hommey <glandium@debian.org>  Wed, 22 Apr 2009 21:55:11 +0200
+
 iceweasel (3.0.6-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- iceweasel-3.0.6.orig/browser/components/feeds/src/FeedWriter.js
+++ iceweasel-3.0.6/browser/components/feeds/src/FeedWriter.js
@@ -1331,6 +1331,8 @@
 
   // nsIObserver
   observe: function FW_observe(subject, topic, data) {
+    subject = new XPCNativeWrapper(subject);
+
     if (!this._window) {
       // this._window is null unless this.write was called with a trusted
       // window object.
@@ -1402,6 +1404,8 @@
 
    // nsINavHistoryService
    onPageChanged: function FW_onPageChanged(aURI, aWhat, aValue) {
+    aURI = new XPCNativeWrapper(aURI);
+
      if (aWhat == Ci.nsINavHistoryObserver.ATTRIBUTE_FAVICON) {
        // Go through the readers menu and look for the corresponding
        // reader menu-item for the page if any.
only in patch2:
unchanged:
--- iceweasel-3.0.6.orig/browser/components/search/nsSearchService.js
+++ iceweasel-3.0.6/browser/components/search/nsSearchService.js
@@ -982,7 +982,17 @@
   // The name of the charset used to submit the search terms.
   _queryCharset: null,
   // A URL string pointing to the engine's search form.
-  _searchForm: null,
+  __searchForm: null,
+  get _searchForm() {
+    return this.__searchForm;
+  },
+  set _searchForm(aValue) {
+    if (/^https?:/i.test(aValue))
+      this.__searchForm = aValue;
+    else
+      LOG("_searchForm: Invalid URL dropped for " + this._name ||
+          "the current engine");
+  },
   // The URI object from which the engine was retrieved.
   // This is null for local plugins, and is used for error messages and logging.
   _uri: null,