Synopsis: Critical: thunderbird security update Issue date: 2007-05-30 CVE Names: CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2871 Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. (CVE-2007-2867, CVE-2007-2868) Several denial of service flaws were found in the way Thunderbird handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Thunderbird from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way Thunderbird processed certain APOP authentication requests. By sending certain responses when Thunderbird attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Thunderbird displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) SL 3.0.x SRPMS: thunderbird-1.5.0.12-0.1.SL3.src.rpm i386: thunderbird-1.5.0.12-0.1.SL3.i386.rpm x86_64: thunderbird-1.5.0.12-0.1.SL3.s86_64.rpm SL 4.x SRPMS: thunderbird-1.5.0.12-0.1.el4.src.rpm i386: thunderbird-1.5.0.12-0.1.el4.i386.rpm x86_64: thunderbird-1.5.0.12-0.1.el4.x86_64.rpm SL 5.x SRPMS: thunderbird-1.5.0.12-1.el5.src.rpm i386: thunderbird-1.5.0.12-1.el5.i386.rpm x86_64: thunderbird-1.5.0.12-1.el5.x86_64.rpm -Connie Sieh -Troy Dawson