LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

February 2014

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA February 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: thunderbird on SL5.x, SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 5 Feb 2014 00:53:45 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (57 lines)

Synopsis:          Important: thunderbird security update

Advisory ID:       SLSA-2014:0133-1

Issue Date:        2014-02-04

CVE Numbers:       CVE-2014-1477

                   CVE-2014-1479

                   CVE-2014-1482

                   CVE-2014-1486

                   CVE-2014-1487

                   CVE-2014-1481

--



Several flaws were found in the processing of malformed content. Malicious

content could cause Thunderbird to crash or, potentially, execute

arbitrary code with the privileges of the user running Thunderbird.

(CVE-2014-1477, CVE-2014-1482, CVE-2014-1486)



A flaw was found in the way Thunderbird handled error messages related to

web workers. An attacker could use this flaw to bypass the same-origin

policy, which could lead to cross-site scripting (XSS) attacks, or could

potentially be used to gather authentication tokens and other data from

third-party websites. (CVE-2014-1487)



A flaw was found in the implementation of System Only Wrappers (SOW). An

attacker could use this flaw to crash Thunderbird. When combined with

other vulnerabilities, this flaw could have additional security

implications. (CVE-2014-1479)



It was found that the Thunderbird JavaScript engine incorrectly handled

window objects. A remote attacker could use this flaw to bypass certain

security checks and possibly execute arbitrary code. (CVE-2014-1481)



Note: All of the above issues cannot be exploited by a specially crafted

HTML mail message as JavaScript is disabled by default for mail messages.

They could be exploited another way in Thunderbird, for example, when

viewing the full remote content of an RSS feed.



After installing the update, Thunderbird must be restarted for the changes

to take effect.

--



SL5

  x86_64

    thunderbird-24.3.0-2.el5_10.x86_64.rpm

    thunderbird-debuginfo-24.3.0-2.el5_10.x86_64.rpm

  i386

    thunderbird-24.3.0-2.el5_10.i386.rpm

    thunderbird-debuginfo-24.3.0-2.el5_10.i386.rpm

SL6

  x86_64

    thunderbird-24.3.0-2.el6_5.x86_64.rpm

    thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm

  i386

    thunderbird-24.3.0-2.el6_5.i686.rpm

    thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm



- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV