[ MDVSA-2009:216 ] mozilla-thunderbird

[dude67]

_______________________________________________________________________

Package : mozilla-thunderbird
Date : August 23, 2009
Affected: Corporate 3.0
_______________________________________________________________________

Problem Description:

A number of security vulnerabilities have been discovered in the NSS
and NSPR libraries and in Mozilla Thunderbird:

Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).

A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625.

This update provides the latest versions of the NSS and NSPR libraries
and Thunderbird which are not vulnerable to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2408
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2409
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2404
http://www.mozilla.org/security/announc ... 09-42.html
https://bugs.gentoo.org/show_bug.cgi?id=280615
_______________________________________________________________________