Home / mailings [USN-1197-2] Thunderbird vulnerability
Posted on 02 September 2011
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1197-2
September 02, 2011
thunderbird vulnerability
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
A certificate authority issued fraudulent certificates.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
USN-1197-1 fixed a vulnerability in Firefox with regard to the DigiNotar
certificate authority. This update provides the corresponding updates for=
Thunderbird.
We are aware that the DigiNotar Root CA Certificate is still shown as
trusted in the Thunderbird certificate manager. This is due to Thunderbir=
d
using the system version of the Network Security Service libraries (NSS).=
Thunderbird will actively distrust any certificate signed by this DigiNot=
ar
Root CA certificate. This means that users will still get an untrusted
certificate warning when accessing a service through Thunderbird that
presents a certificate signed by this DigiNotar Root CA certificate.
Original advisory details:
It was discovered that Dutch Certificate Authority DigiNotar had
mis-issued multiple fraudulent certificates. These certificates could al=
low
an attacker to perform a "man in the middle" (MITM) attack which would m=
ake
the user believe their connection is secure, but is actually being
monitored.
=20
For the protection of its users, Mozilla has removed the DigiNotar
certificate. Sites using certificates issued by DigiNotar will need to s=
eek
another certificate vendor.
=20
We are currently aware of a regression that blocks one of two Staat der
Nederlanden root certificates which are believed to still be secure. Thi=
s
regression is being tracked at https://launchpad.net/bugs/838322.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
thunderbird 3.1.13+build1+nobinonly-0ubuntu0.11.04.=
1
Ubuntu 10.10:
thunderbird 3.1.13+build1+nobinonly-0ubuntu0.10.10.=
1
Ubuntu 10.04 LTS:
thunderbird 3.1.13+build1+nobinonly-0ubuntu0.10.04.=
1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1197-2
http://www.ubuntu.com/usn/usn-1197-1
https://launchpad.net/bugs/837557
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/3.1.13+build1+nobinonl=
y-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/thunderbird/3.1.13+build1+nobinonl=
y-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/thunderbird/3.1.13+build1+nobinonl=
y-0ubuntu0.10.04.1
------------
