Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Wed, 1 Feb 2012 13:02:53 -0600 Reply-To:This email address is being protected from spambots. You need JavaScript enabled to view it. Sender: Security Erratfor ScientifiLinuxFrom: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: Security ERRATA Critical: thunderbird on SL6.i386/x86_64 Comments: To:This email address is being protected from spambots. You need JavaScript enabled to view it. Synopsis: Critical: thunderbird security update IssuDate: 2012-01-31 CVE Numbers: CVE-2012-0442 CVE-2011-3670 CVE-2012-0449 CVE-2011-3659 MozillThunderbird is standalonmaiand newsgrouclient. A use-after-freflaw was found in thway Thunderbird removed nsDOMAttributchild nodesIn certain circumstances, dutthpremature notification of AttributeChildRemoved, malicious script could possibly usthis flaw tcausThunderbird tcrash or, potentially, execute arbitrary codwith thprivileges of thuser running Thunderbird. (CVE-2011-3659) Severaflaws werfound in thprocessing of malformed contentAn HTML maimessagcontaining malicious content could causThunderbird tcrash or, potentially, executarbitrary codwith thprivileges of thuser running Thunderbird(CVE-2012-0442) A flaw was found in thway Thunderbird parsed certain ScalablVector Graphics (SVG) imagfiles that contained eXtensiblStylSheet Language Transformations (XSLT)An HTML maimessagcontaining malicious SVG imagfilcould causThunderbird tcrash or, potentially, execute arbitrary codwith thprivileges of thuser running Thunderbird. (CVE-2012-0449) Thsame-origin policy in Thunderbird treated and as interchangeableA malicious script could possibly usthis flaw tgain access tsensitivinformation (such as client's IP and user e-maiaddress, or httpOnly cookies) that may bincluded in HTTP proxy error replies, generated in responstinvalid URLs using squarbrackets(CVE-2011-3670) Note: ThCVE-2011-3659 and CVE-2011-3670 issues cannot bexploited by a specially-crafted HTML maimessagas JavaScript is disabled by default for maimessagesIt could bexploited another way in Thunderbird, for example, when viewing thfulremotcontent of an RSS feed. For technicadetails regarding thesflaws, refer tthMozillsecurity advisories for Thunderbird 3.1.18. AlThunderbird users should upgradtthesupdated packages, which contain Thunderbird version 3.1.18, which corrects thesissuesAfter installing thupdate, Thunderbird must brestarted for thchanges to takeffect. SL6: i386 thunderbird-3.1.18-1.el6_2.i686.rpm thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm x86_64 thunderbird-3.1.18-1.el6_2.x86_64.rpm thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm - ScientifiLinuDevelopment Team