openSUSE Security Update: MozillaThunderbird: Update to 3.1.12
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2011:0935-2
Rating:             important
References:         #712224 
Affected Products:
                    openSUSE 11.4
                    openSUSE 11.3
______________________________________________________________________________

   An update that contains security fixes can now be
   installed. It includes three new package versions.

Description:

   Mozilla Thunderbird was updated to 3.1.12 fixing various
   bugs and  security issues:

   Mozilla Foundation Security Advisory 2011-32 (MFSA 2011-32)
   https://www.mozilla.org/en-US/security/advisories/mfsa2011-32/
   Many of the issues listed below are not exploitable through
   mail since JavaScript is disabled by default in
   Thunderbird. These particular issues may be triggered while
   viewing RSS feeds and displaying full remote content rather
   than the feed summary. Addons that expose browser
   functionality may also enable such issues to be exploited.

   * Miscellaneous memory safety hazards (rv:1.9.2.20)

   Mozilla developers and community members identified and
   fixed several memory safety bugs in the browser engine used
   in Thunderbird 3.1 and other Mozilla-based products. Some
   of these bugs showed evidence of memory corruption under
   certain circumstances, and we presume that with enough
   effort at least some of these could be exploited to run
   arbitrary code.

   Gary Kwong, Igor Bukanov, Nils and Bob Clary reported
   memory safety issues which affected Thunderbird 3.1.
   (CVE-2011-2982)

   * Crash in SVGTextElement.getCharNumAtPosition()

   Security researcher regenrecht reported via
   TippingPoint's Zero Day Initiative that a SVG text
   manipulation routine contained a dangling pointer
   vulnerability. (CVE-2011-0084)

   * Privilege escalation using event handlers
   Mozilla security researcher moz_bug_r_a_4 reported a
   vulnerability in event management code that would permit
   JavaScript to be run in the wrong context, including that
   of a different website or potentially in a
   chrome-privileged context. (CVE-2011-2981)

   * Dangling pointer vulnerability in appendChild

   Security researcher regenrecht reported via
   TippingPoint's Zero Day Initiative that appendChild did not
   correctly account for DOM objects it operated upon and
   could be exploited to dereference an invalid pointer.
   (CVE-2011-2378)

   * Privilege escalation dropping a tab element in content
   area

   Mozilla security researcher moz_bug_r_a4 reported that
   web content could receive chrome privileges if it
   registered for drop events and a browser tab element was
   dropped into the content area. (CVE-2011-2984)

   * Binary planting vulnerability in ThinkPadSensor::Startup

   Security researcher Mitja Kolsek of Acros Security
   reported that ThinkPadSensor::Startup could potentially be
   exploited to load a malicious DLL into the running process.
   (CVE-2011-2980)

   * Private data leakage using RegExp.input

   Security researcher shutdown reported that data from
   other domains could be read when RegExp.input was set.
   (CVE-2011-2983)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.4:

      zypper in -t patch MozillaThunderbird-5050 mozilla-js192-5010

   - openSUSE 11.3:

      zypper in -t patch MozillaThunderbird-5050

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 11.4 (i586 x86_64) [New Version: 1.9.2.20 and 3.1.12]:

      MozillaThunderbird-3.1.12-0.11.1
      MozillaThunderbird-buildsymbols-3.1.12-0.11.1
      MozillaThunderbird-devel-3.1.12-0.11.1
      MozillaThunderbird-translations-common-3.1.12-0.11.1
      MozillaThunderbird-translations-other-3.1.12-0.11.1
      enigmail-1.1.2+3.1.12-0.11.1
      mozilla-js192-1.9.2.20-1.2.1
      mozilla-xulrunner192-1.9.2.20-1.2.1
      mozilla-xulrunner192-buildsymbols-1.9.2.20-1.2.1
      mozilla-xulrunner192-devel-1.9.2.20-1.2.1
      mozilla-xulrunner192-gnome-1.9.2.20-1.2.1
      mozilla-xulrunner192-translations-common-1.9.2.20-1.2.1
      mozilla-xulrunner192-translations-other-1.9.2.20-1.2.1

   - openSUSE 11.4 (x86_64) [New Version: 1.9.2.20]:

      mozilla-js192-32bit-1.9.2.20-1.2.1
      mozilla-xulrunner192-32bit-1.9.2.20-1.2.1
      mozilla-xulrunner192-gnome-32bit-1.9.2.20-1.2.1
      mozilla-xulrunner192-translations-common-32bit-1.9.2.20-1.2.1
      mozilla-xulrunner192-translations-other-32bit-1.9.2.20-1.2.1

   - openSUSE 11.3 (i586 x86_64) [New Version: 3.1.12]:

      MozillaThunderbird-3.1.12-0.15.1
      MozillaThunderbird-devel-3.1.12-0.15.1
      MozillaThunderbird-translations-common-3.1.12-0.15.1
      MozillaThunderbird-translations-other-3.1.12-0.15.1
      enigmail-1.1.2+3.1.12-0.15.1


References:

   https://bugzilla.novell.com/712224

openSUSE: 2011:0935-2: important: MozillaThunderbird

August 29, 2011
An update that contains security fixes can now be An update that contains security fixes can now be An update that contains security fixes can now be installed

Description

Mozilla Thunderbird was updated to 3.1.12 fixing various bugs and security issues: Mozilla Foundation Security Advisory 2011-32 (MFSA 2011-32) https://www.mozilla.org/en-US/security/advisories/mfsa2011-32/ Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may also enable such issues to be exploited. * Miscellaneous memory safety hazards (rv:1.9.2.20) Mozilla developers and community members identified and fixed several memory safety bugs in the browser engine used in Thunderbird 3.1 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Gary Kwong, Igor Bukanov, Nils and Bob Clary reported memory safety issues which affected Thunderbird 3.1. (CVE-2011-2982) * Crash in SVGTextElement.getCharNumAtPosition() Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability. (CVE-2011-0084) * Privilege escalation using event handlers Mozilla security researcher moz_bug_r_a_4 reported a vulnerability in event management code that would permit JavaScript to be run in the wrong context, including that of a different website or potentially in a chrome-privileged context. (CVE-2011-2981) * Dangling pointer vulnerability in appendChild Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that appendChild did not correctly account for DOM objects it operated upon and could be exploited to dereference an invalid pointer. (CVE-2011-2378) * Privilege escalation dropping a tab element in content area Mozilla security researcher moz_bug_r_a4 reported that web content could receive chrome privileges if it registered for drop events and a browser tab element was dropped into the content area. (CVE-2011-2984) * Binary planting vulnerability in ThinkPadSensor::Startup Security researcher Mitja Kolsek of Acros Security reported that ThinkPadSensor::Startup could potentially be exploited to load a malicious DLL into the running process. (CVE-2011-2980) * Private data leakage using RegExp.input Security researcher shutdown reported that data from other domains could be read when RegExp.input was set. (CVE-2011-2983)

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch MozillaThunderbird-5050 mozilla-js192-5010 - openSUSE 11.3: zypper in -t patch MozillaThunderbird-5050 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 11.4 (i586 x86_64) [New Version: 1.9.2.20 and 3.1.12]: MozillaThunderbird-3.1.12-0.11.1 MozillaThunderbird-buildsymbols-3.1.12-0.11.1 MozillaThunderbird-devel-3.1.12-0.11.1 MozillaThunderbird-translations-common-3.1.12-0.11.1 MozillaThunderbird-translations-other-3.1.12-0.11.1 enigmail-1.1.2+3.1.12-0.11.1 mozilla-js192-1.9.2.20-1.2.1 mozilla-xulrunner192-1.9.2.20-1.2.1 mozilla-xulrunner192-buildsymbols-1.9.2.20-1.2.1 mozilla-xulrunner192-devel-1.9.2.20-1.2.1 mozilla-xulrunner192-gnome-1.9.2.20-1.2.1 mozilla-xulrunner192-translations-common-1.9.2.20-1.2.1 mozilla-xulrunner192-translations-other-1.9.2.20-1.2.1 - openSUSE 11.4 (x86_64) [New Version: 1.9.2.20]: mozilla-js192-32bit-1.9.2.20-1.2.1 mozilla-xulrunner192-32bit-1.9.2.20-1.2.1 mozilla-xulrunner192-gnome-32bit-1.9.2.20-1.2.1 mozilla-xulrunner192-translations-common-32bit-1.9.2.20-1.2.1 mozilla-xulrunner192-translations-other-32bit-1.9.2.20-1.2.1 - openSUSE 11.3 (i586 x86_64) [New Version: 3.1.12]: MozillaThunderbird-3.1.12-0.15.1 MozillaThunderbird-devel-3.1.12-0.15.1 MozillaThunderbird-translations-common-3.1.12-0.15.1 MozillaThunderbird-translations-other-3.1.12-0.15.1 enigmail-1.1.2+3.1.12-0.15.1


References

https://bugzilla.novell.com/712224


Severity
Announcement ID: openSUSE-SU-2011:0935-2
Rating: important
Affected Products: openSUSE 11.4 openSUSE 11.3

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved