Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Ubuntu 14.10 USN-2428-1 High: Thunderbird Memory Safety Threats

ubuntu
Calendar Grey December 3, 2014
Dist Ubuntu Esm H88
Patches addressing several vulnerabilities in Thunderbird for Ubuntu 14.10, 14.04 LTS, and 12.04 LTS are now available. Users are advised to update without delay.
Several security issues were fixed in Thunderbird.

Summary

Several security issues were fixed in Thunderbird.

Software Description:

- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas

Werner discovered multiple memory safety issues in Thunderbird. If a user

were tricked in to opening a specially crafted message with scripting

enabled, an attacker could potentially exploit these to cause a denial of

service via application crash, or execute arbitrary code with the

privileges of the user invoking Thunderbird. (CVE-2014-1587)

Joe Vennix discovered a crash when using XMLHttpRequest in some

circumstances. If a user were tricked in to opening a specially crafted

message with scripting enabled, an attacker could potentially exploit this

to cause a denial of service. (CVE-2014-1590)

Berend-Jan Wever discovered a use-after-free during HTML parsing. If a

user were tricked in to opening a specially crafted message with scripting

enable...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  thunderbird                     1:31.3.0+build1-0ubuntu0.14.10.1

Ubuntu 14.04 LTS:
  thunderbird                     1:31.3.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  thunderbird                     1:31.3.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2428-1

CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593,

CVE-2014-1594

December 03, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.