_______________________________________________________________________
Package : mozilla-thunderbird
Date : April 23, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in
mozilla-thunderbird:
Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19
process e-mail attachments with a parser that performs casts and
line termination incorrectly, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted message, related to message indexing
(CVE-2009-0689).
Integer overflow in a base64 decoding function in Mozilla Firefox
before 3.0.12 and Thunderbird allows remote attackers to cause a
denial of service (memory corruption and application crash) or possibly
execute arbitrary code via unspecified vectors (CVE-2009-2463).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors (CVE-2009-3072).
Multiple unspecified vulnerabilities in the JavaScript engine
in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown
vectors (CVE-2009-3075).
Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not
properly manage pointers for the columns (aka TreeColumns) of a XUL
tree element, which allows remote attackers to execute arbitrary
code via a crafted HTML document, related to a dangling pointer
vulnerability. (CVE-2009-3077)
Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey
before 2.0, does not properly handle a right-to-left override (aka
RLO or U+202E) Unicode character in a download filename, which allows
remote attackers to spoof file extensions via a crafted filename,
as demonstrated by displaying a non-executable extension for an
executable file (CVE-2009-3376).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to send authenticated requests
to arbitrary applications by replaying the NTLM credentials of a
browser user (CVE-2009-3983).
Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19
process e-mail attachments with a parser that performs casts and
line termination incorrectly, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted message, related to message indexing
(CVE-2010-0163).
This update provides the latest version of Thunderbird which are not
vulnerable to these issues.
Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.
Additionally, some packages which require so, have been rebuilt and
are being provided as updates.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-0689
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2463
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3072
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3075
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3077
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3376
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3983
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-0163
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2462
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2466
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2470
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3076
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3274
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3380
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3979
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-0159
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-0161
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-0169
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-0171
http://www.mozilla.org/security/known-v ... ird20.html
http://www.mozilla.org/security/known-v ... ird30.html
https://qa.mandriva.com/58862
_______________________________________________________________________
[ MDVSA-2010:071 ] mozilla-thunderbird
Ensimmäinen lukematon viesti • 1 viesti
• Sivu 1/1
[ MDVSA-2010:071 ] mozilla-thunderbird
Kirjoittaja dude67 » 25 Huhti 2010, 10:46
1. Mageia-1 KDE4 x86_64 (& Win7 Pro) | desktop
2. Mageia-2 KDE4 (& Win7 Home Premium) | laptop Acer 7530
3. Mageia-1 KDE4 (& Win7 Starter) | Samsung NC-10 miniläppäri
4. Mageia-1 KDE4 | serverinä toimiva desktop
Luotettavaa Linux käyttöä jo Mandriva 2006.0:sta lähtien
-
dude67 - Site Admin
- Viestit: 2256
- Liittynyt: 27 Syys 2007, 16:58
- Paikkakunta: Espoo
1 viesti
• Sivu 1/1
Paluu Mandrivan turvallisuustiedotteet
Paikallaolijat
Käyttäjiä lukemassa tätä aluetta: Ei rekisteröityneitä käyttäjiä ja 7 vierailijaa