Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200605-09 ] Mozilla Thunderbird: Multiple vulnerabilities
Date: Mon, 08 May 2006 17:55:58
Message-Id: 445F81BF.90800@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200605-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla Thunderbird: Multiple vulnerabilities
9 Date: May 08, 2006
10 Bugs: #130888
11 ID: 200605-09
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Several vulnerabilities in Mozilla Thunderbird allow attacks ranging
19 from script execution with elevated privileges to information leaks.
20
21 Background
22 ==========
23
24 Mozilla Thunderbird is the next-generation mail client from the Mozilla
25 project.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 mozilla-thunderbird < 1.0.8 >= 1.0.8
34 2 mozilla-thunderbird-bin < 1.0.8 >= 1.0.8
35 -------------------------------------------------------------------
36 2 affected packages on all of their supported architectures.
37 -------------------------------------------------------------------
38
39 Description
40 ===========
41
42 Several vulnerabilities were found and fixed in Mozilla Thunderbird.
43
44 Impact
45 ======
46
47 A remote attacker could craft malicious emails that would leverage
48 these issues to inject and execute arbitrary script code with elevated
49 privileges, steal local files or other information from emails, and
50 spoof content. Some of these vulnerabilities might even be exploited to
51 execute arbitrary code with the rights of the user running Thunderbird.
52
53 Workaround
54 ==========
55
56 There are no known workarounds for all the issues at this time.
57
58 Resolution
59 ==========
60
61 All Mozilla Thunderbird users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose
65 ">=mail-client/mozilla-thunderbird-1.0.8"
66
67 All Mozilla Thunderbird binary users should upgrade to the latest
68 version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose
72 ">=mail-client/mozilla-thunderbird-bin-1.0.8"
73
74 Note: There is no stable fixed version for the ALPHA architecture yet.
75 Users of Mozilla Thunderbird on ALPHA should consider unmerging it
76 until such a version is available.
77
78 References
79 ==========
80
81 [ 1 ] CVE-2006-0292
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
83 [ 2 ] CVE-2006-0296
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296
85 [ 3 ] CVE-2006-0748
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748
87 [ 4 ] CVE-2006-0749
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749
89 [ 5 ] CVE-2006-0884
90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0884
91 [ 6 ] CVE-2006-1045
92 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1045
93 [ 7 ] CVE-2006-1727
94 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727
95 [ 8 ] CVE-2006-1728
96 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728
97 [ 9 ] CVE-2006-1730
98 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730
99 [ 10 ] CVE-2006-1731
100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731
101 [ 11 ] CVE-2006-1732
102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732
103 [ 12 ] CVE-2006-1733
104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733
105 [ 13 ] CVE-2006-1734
106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734
107 [ 14 ] CVE-2006-1735
108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735
109 [ 15 ] CVE-2006-1737
110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737
111 [ 16 ] CVE-2006-1738
112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738
113 [ 17 ] CVE-2006-1739
114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739
115 [ 18 ] CVE-2006-1741
116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741
117 [ 19 ] CVE-2006-1742
118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742
119 [ 20 ] CVE-2006-1790
120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790
121 [ 21 ] Mozilla Foundation Security Advisories
122
123 http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird
124
125 Availability
126 ============
127
128 This GLSA and any updates to it are available for viewing at
129 the Gentoo Security Website:
130
131 http://security.gentoo.org/glsa/glsa-200605-09.xml
132
133 Concerns?
134 =========
135
136 Security is a primary focus of Gentoo Linux and ensuring the
137 confidentiality and security of our users machines is of utmost
138 importance to us. Any security concerns should be addressed to
139 security@g.o or alternatively, you may file a bug at
140 http://bugs.gentoo.org.
141
142 License
143 =======
144
145 Copyright 2006 Gentoo Foundation, Inc; referenced text
146 belongs to its owner(s).
147
148 The contents of this document are licensed under the
149 Creative Commons - Attribution / Share Alike license.
150
151 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups