Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-668-1: Thunderbird vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-668-1: Thunderbird vulnerabilities
# 1  
Old 11-25-2008
USN-668-1: Thunderbird vulnerabilities
Referenced CVEs:
CVE-2008-5012 CVE-2008-5014 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 CVE-2008-5024


Description:
===========================================================Ubuntu Security Notice USN-668-1 November 26, 2008mozilla-thunderbird, thunderbird vulnerabilitiesCVE-2008-5012, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017,CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614h-0ubuntu0.6.06.1Ubuntu 7.10: thunderbird 2.0.0.18+nobinonly-0ubuntu0.7.10.1Ubuntu 8.04 LTS: thunderbird 2.0.0.18+nobinonly-0ubuntu0.8.04.1Ubuntu 8.10: thunderbird 2.0.0.18+nobinonly-0ubuntu0.8.10.1After a standard system upgrade you need to restart Thunderbird to effectthe necessary changes.Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the same-origincheck in Thunderbird could be bypassed. If a user were tricked into opening amalicious website, an attacker could obtain private information from datastored in the images, or discover information about software on the user'scomputer. (CVE-2008-5012)Jesse Ruderman discovered that Thunderbird did not properly guard locks onnon-native objects. If a user had JavaScript enabled and were tricked intoopening malicious web content, an attacker could cause a browser crash andpossibly execute arbitrary code with user privileges. (CVE-2008-5014)Several problems were discovered in the browser, layout and JavaScript engines.If a user had JavaScript enabled, these problems could allow an attacker tocrash Thunderbird and possibly execute arbitrary code with user privileges.(CVE-2008-5016, CVE-2008-5017, CVE-2008-5018)A flaw was discovered in Thunderbird's DOM constructing code. If a user weretricked into opening a malicious website while having JavaScript enabled, anattacker could cause the browser to crash and potentially execute arbitrarycode with user privileges. (CVE-2008-5021)It was discovered that the same-origin check in Thunderbird could be bypassed.If a user had JavaScript enabled and were tricked into opening malicious webcontent, an attacker could execute JavaScript in the context of a differentwebsite. (CVE-2008-5022)Chris Evans discovered that Thunderbird did not properly parse E4X documents,leading to quote characters in the namespace not being properly escaped.(CVE-2008-5024)Boris Zbarsky discovered that Thunderbird did not properly process comments inforwarded in-line messages. If a user had JavaScript enabled and opened amalicious email, an attacker may be able to obtain information about therecipient.





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question