Home / mailingsPDF  

[USN-1254-1] Thunderbird vulnerabilities

Posted on 22 December 2011
Ubuntu Security

==========================
==========================
========================
Ubuntu Security Notice USN-1254-1
December 22, 2011

thunderbird vulnerabilities
==========================
==========================
========================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Multiple vulnerabilities have been fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

It was discovered that CVE-2011-3004, which addressed possible privilege
escalation in addons, also affected Thunderbird 3.1. An attacker could
potentially exploit a user who had installed an add-on that used
loadSubscript in vulnerable ways. (CVE-2011-3647)

Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. It may be possible to trigge=
r
this crash without the use of debugging APIs, which might allow malicious=

websites to exploit this vulnerability. An attacker could possibly use th=
is
flaw this to steal data or inject malicious scripts into web content.
(CVE-2011-3648)

Marc Schoenefeld discovered that using Firebug to profile a JavaScript fi=
le
with many functions would cause Firefox to crash. An attacker might be ab=
le
to exploit this without using the debugging APIs which would potentially
allow an attacker to remotely crash Thunderbird. (CVE-2011-3650)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
thunderbird 3.1.16+build2+nobinonly-0ubuntu0.11.04.=
1

Ubuntu 10.10:
thunderbird 3.1.16+build2+nobinonly-0ubuntu0.10.10.=
1

Ubuntu 10.04 LTS:
thunderbird 3.1.16+build2+nobinonly-0ubuntu0.10.04.=
1

After a standard system update you need to restart Thunderbird to make al=
l
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1254-1
CVE-2011-3647, CVE-2011-3648, CVE-2011-3650

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/3.1.16+build2+nobinonl=
y-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/thunderbird/3.1.16+build2+nobinonl=
y-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/thunderbird/3.1.16+build2+nobinonl=
y-0ubuntu0.10.04.1




------------

 

TOP

Mailings :

Exploits :