Fedora alert FEDORA-2007-3414 (thunderbird)
| From: | updates@fedoraproject.org | |
| To: | fedora-package-announce@redhat.com | |
| Subject: | [SECURITY] Fedora 8 Update: thunderbird-2.0.0.9-1.fc8 | |
| Date: | Thu, 15 Nov 2007 17:39:02 -0700 | |
| Message-ID: | <200711160039.lAG0ceeY017971@bastion.fedora.phx.redhat.com> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2007-3414 2007-11-16 00:38:35.475568 -------------------------------------------------------------------------------- Name : thunderbird Product : Fedora 8 Version : 2.0.0.9 Release : 1.fc8 URL : http://www.mozilla.org/projects/thunderbird/ Summary : Mozilla Thunderbird mail/newsgroup client Description : Mozilla Thunderbird is a standalone mail and newsgroup client. -------------------------------------------------------------------------------- Update Information: Updated thunderbird packages that fix several security bugs are now available for Fedora Core 8. This update has been rated as having moderate security impact by the Fedora Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way in which Thunderbird processed certain malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) Several flaws were found in the way in which Thunderbird displayed malformed HTML mail content. An HTML mail message containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334) A flaw was found in the Thunderbird sftp protocol handler. A malicious HTML mail message could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337) A request-splitting flaw was found in the way in which Thunderbird generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292) Users of Thunderbird are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. -------------------------------------------------------------------------------- ChangeLog: * Thu Nov 15 2007 Christopher Aillon <caillon@redhat.com> 2.0.0.9-1 - Update to 2.0.0.9 -------------------------------------------------------------------------------- Updated packages: 824dbe355c39b89c05d952ad3d8b3972c23e692e thunderbird-2.0.0.9-1.fc8.ppc64.rpm 3b66cac2191917508966f7395adfdfb7bdfed0ec thunderbird-debuginfo-2.0.0.9-1.fc8.ppc64.rpm 7ee2a76490dd2d94e8b9b7caa0d8468c05e80b6e thunderbird-2.0.0.9-1.fc8.i386.rpm 510b858233a4a130066ea5bdacec964a7541779c thunderbird-debuginfo-2.0.0.9-1.fc8.i386.rpm af51df238e7a1dcfc20ad7a9063d5ecbe10c77ef thunderbird-2.0.0.9-1.fc8.x86_64.rpm 002be992c0574a9adaea3388c33327013a3e8e48 thunderbird-debuginfo-2.0.0.9-1.fc8.x86_64.rpm db67fb840815ebd52a311552e4dfb9bf86d9e1b0 thunderbird-debuginfo-2.0.0.9-1.fc8.ppc.rpm 2c4f243d7b19a522633d49ba858626ba4298b69a thunderbird-2.0.0.9-1.fc8.ppc.rpm 9fd56cd9942bcc109eb29ba2f7505783000bc3e0 thunderbird-2.0.0.9-1.fc8.src.rpm This update can be installed with the "yum" update program. Use su -c 'yum update thunderbird' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-ann...