LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

June 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA June 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Critical: thunderbird on SL4.x, SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 22 Jun 2011 11:52:48 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

Synopsis:    Critical: thunderbird security update
Issue Date:  2011-06-21
CVE Numbers: CVE-2011-2364
              CVE-2011-2373
              CVE-2011-2371
              CVE-2011-0083
              CVE-2011-2362
              CVE-2011-2377


Mozilla Thunderbird is a standalone mail and newsgroup client.

A flaw was found in the way Thunderbird handled malformed JPEG images. 
An HTML mail message containing a malicious JPEG image could cause 
Thunderbird to crash or, potentially, execute arbitrary code with the 
privileges of the user running Thunderbird. (CVE-2011-2377)

Multiple dangling pointer flaws were found in Thunderbird. Malicious 
HTML content could cause Thunderbird to crash or, potentially, execute 
arbitrary code with the privileges of the user running Thunderbird. 
(CVE-2011-0083, CVE-2011-0085, CVE-2011-2363)

Several flaws were found in the processing of malformed HTML content.
Malicious HTML content could cause Thunderbird to crash or, potentially,
execute arbitrary code with the privileges of the user running 
Thunderbird. (CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, 
CVE-2011-2375, CVE-2011-2376)

An integer overflow flaw was found in the way Thunderbird handled
JavaScript Array objects. Malicious content could cause Thunderbird to
execute JavaScript with the privileges of the user running Thunderbird.
(CVE-2011-2371)

A use-after-free flaw was found in the way Thunderbird handled malformed
JavaScript. Malicious content could cause Thunderbird to execute 
JavaScript with the privileges of the user running Thunderbird. 
(CVE-2011-2373)

It was found that Thunderbird could treat two separate cookies (for web
content) as interchangeable if both were for the same domain name but 
one of those domain names had a trailing "." character. This violates 
the same-origin policy and could possibly lead to data being leaked to 
the wrong domain. (CVE-2011-2362)

All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.

SL4:
   i386
      thunderbird-1.5.0.12-39.el4.i386.rpm
   x86_64
      thunderbird-1.5.0.12-39.el4.x86_64.rpm
SL5:
   i386
      thunderbird-2.0.0.24-18.el5_6.i386.rpm
   x86_64
      thunderbird-2.0.0.24-18.el5_6.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV