[gentoo-announce] [ GLSA 200711-24 ] Mozilla Thunderbird: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200711-24 ] Mozilla Thunderbird: Multiple vulnerabilities
Date:	Sun, 18 Nov 2007 21:50:33
Message-Id:	`4740AFA3.2050307@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200711-24

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Mozilla Thunderbird: Multiple vulnerabilities

12

      Date: November 18, 2007

13

      Bugs: #196481

14

        ID: 200711-24

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities have been reported in Mozilla Thunderbird,

22

which may allow user-assisted arbitrary remote code execution.

23

24

Background

25

==========

26

27

Mozilla Thunderbird is a popular open-source email client from the

28

Mozilla project.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package                  /  Vulnerable  /              Unaffected

35

    -------------------------------------------------------------------

36

  1  mozilla-thunderbird          < 2.0.0.9                 >= 2.0.0.9

37

  2  mozilla-thunderbird-bin      < 2.0.0.9                 >= 2.0.0.9

38

    -------------------------------------------------------------------

39

     2 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

Multiple vulnerabilities have been reported in Mozilla Thunderbird's

46

HTML browser engine (CVE-2007-5339) and JavaScript engine

47

(CVE-2007-5340) that can be exploited to cause a memory corruption.

48

49

Impact

50

======

51

52

A remote attacker could entice a user to read a specially crafted email

53

that could trigger one of the vulnerabilities, possibly leading to the

54

execution of arbitrary code.

55

56

Workaround

57

==========

58

59

There is no known workaround at this time for all of these issues, but

60

some of them can be avoided by disabling JavaScript.

61

62

Resolution

63

==========

64

65

All Mozilla Thunderbird users should upgrade to the latest version:

66

67

    # emerge --sync

68

    # emerge --ask --oneshot --verbose

69

">=mail-client/mozilla-thunderbird-2.0.0.9"

70

71

All Mozilla Thunderbird binary users should upgrade to the latest

72

version:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose

76

">=mail-client/mozilla-thunderbird-bin-2.0.0.9"

77

78

References

79

==========

80

81

  [ 1 ] CVE-2007-5339

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339

83

  [ 2 ] CVE-2007-5340

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340

85

  [ 3 ] GLSA 200711-14

86

        http://www.gentoo.org/security/en/glsa/glsa-200711-14.xml

87

88

Availability

89

============

90

91

This GLSA and any updates to it are available for viewing at

92

the Gentoo Security Website:

93

94

  http://security.gentoo.org/glsa/glsa-200711-24.xml

95

96

Concerns?

97

=========

98

99

Security is a primary focus of Gentoo Linux and ensuring the

100

confidentiality and security of our users machines is of utmost

101

importance to us. Any security concerns should be addressed to

102

security@g.o or alternatively, you may file a bug at

103

http://bugs.gentoo.org.

104

105

License

106

=======

107

108

Copyright 2007 Gentoo Foundation, Inc; referenced text

109

belongs to its owner(s).

110

111

The contents of this document are licensed under the

112

Creative Commons - Attribution / Share Alike license.

113

114

http://creativecommons.org/licenses/by-sa/2.5

115

-----BEGIN PGP SIGNATURE-----

116

Version: GnuPG v1.4.7 (GNU/Linux)

117

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

118

119

iD8DBQFHQK+juhJ+ozIKI5gRAvrmAJwIT9nGWtqALR9wOwqrpfCozEOVRgCfR36N

120

iiySbPAelqZNMW6jkMzSt6w=

121

=6BMP

122

-----END PGP SIGNATURE-----

123

--

124

gentoo-announce@g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200711-24
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Mozilla Thunderbird: Multiple vulnerabilities
12	Date: November 18, 2007
13	Bugs: #196481
14	ID: 200711-24
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities have been reported in Mozilla Thunderbird,
22	which may allow user-assisted arbitrary remote code execution.
23
24	Background
25	==========
26
27	Mozilla Thunderbird is a popular open-source email client from the
28	Mozilla project.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 mozilla-thunderbird < 2.0.0.9 >= 2.0.0.9
37	2 mozilla-thunderbird-bin < 2.0.0.9 >= 2.0.0.9
38	-------------------------------------------------------------------
39	2 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	Multiple vulnerabilities have been reported in Mozilla Thunderbird's
46	HTML browser engine (CVE-2007-5339) and JavaScript engine
47	(CVE-2007-5340) that can be exploited to cause a memory corruption.
48
49	Impact
50	======
51
52	A remote attacker could entice a user to read a specially crafted email
53	that could trigger one of the vulnerabilities, possibly leading to the
54	execution of arbitrary code.
55
56	Workaround
57	==========
58
59	There is no known workaround at this time for all of these issues, but
60	some of them can be avoided by disabling JavaScript.
61
62	Resolution
63	==========
64
65	All Mozilla Thunderbird users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose
69	">=mail-client/mozilla-thunderbird-2.0.0.9"
70
71	All Mozilla Thunderbird binary users should upgrade to the latest
72	version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose
76	">=mail-client/mozilla-thunderbird-bin-2.0.0.9"
77
78	References
79	==========
80
81	[ 1 ] CVE-2007-5339
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
83	[ 2 ] CVE-2007-5340
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340
85	[ 3 ] GLSA 200711-14
86	http://www.gentoo.org/security/en/glsa/glsa-200711-14.xml
87
88	Availability
89	============
90
91	This GLSA and any updates to it are available for viewing at
92	the Gentoo Security Website:
93
94	http://security.gentoo.org/glsa/glsa-200711-24.xml
95
96	Concerns?
97	=========
98
99	Security is a primary focus of Gentoo Linux and ensuring the
100	confidentiality and security of our users machines is of utmost
101	importance to us. Any security concerns should be addressed to
102	security@g.o or alternatively, you may file a bug at
103	http://bugs.gentoo.org.
104
105	License
106	=======
107
108	Copyright 2007 Gentoo Foundation, Inc; referenced text
109	belongs to its owner(s).
110
111	The contents of this document are licensed under the
112	Creative Commons - Attribution / Share Alike license.
113
114	http://creativecommons.org/licenses/by-sa/2.5
115	-----BEGIN PGP SIGNATURE-----
116	Version: GnuPG v1.4.7 (GNU/Linux)
117	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
118
119	iD8DBQFHQK+juhJ+ozIKI5gRAvrmAJwIT9nGWtqALR9wOwqrpfCozEOVRgCfR36N
120	iiySbPAelqZNMW6jkMzSt6w=
121	=6BMP
122	-----END PGP SIGNATURE-----
123	--
124	gentoo-announce@g.o mailing list

Gentoo Archives: gentoo-announce