thunderbird security update

2006-09-1514:57:35

CentOS Project

lists.centos.org

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.967 High

EPSS

Percentile

99.6%

JSON

CentOS Errata and Security Advisory CESA-2006:0677

Mozilla Thunderbird is a standalone mail and newsgroup client.

Two flaws were found in the way Thunderbird processed certain regular
expressions. A malicious HTML email could cause a crash or possibly
execute arbitrary code as the user running Thunderbird. (CVE-2006-4565,
CVE-2006-4566)

A flaw was found in the Thunderbird auto-update verification system. An
attacker who has the ability to spoof a victim’s DNS could get Firefox to
download and install malicious code. In order to exploit this issue an
attacker would also need to get a victim to previously accept an
unverifiable certificate. (CVE-2006-4567)

A flaw was found in the handling of Javascript timed events. A malicious
HTML email could crash the browser or possibly execute arbitrary code as
the user running Thunderbird. (CVE-2006-4253)

Daniel Bleichenbacher recently described an implementation error in RSA
signature verification. For RSA keys with exponent 3 it is possible for an
attacker to forge a signature that which would be incorrectly verified by
the NSS library. (CVE-2006-4340)

A flaw was found in Thunderbird that triggered when a HTML message
contained a remote image pointing to a XBL script. An attacker could have
created a carefully crafted message which would execute Javascript if
certain actions were performed on the email by the recipient, even if
Javascript was disabled. (CVE-2006-4570)

A number of flaws were found in Thunderbird. A malicious HTML email could
cause a crash or possibly execute arbitrary code as the user running
Thunderbird. (CVE-2006-4571)

Users of Thunderbird are advised to upgrade to this update, which contains
Thunderbird version 1.5.0.7 that corrects these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2006-September/075405.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075420.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075421.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075424.html

Affected packages:
thunderbird

Upstream details at:
https://access.redhat.com/errata/RHSA-2006:0677

OSVersionArchitecturePackageVersionFilename
CentOS4i386thunderbird< 1.5.0.7-0.1.el4.centos4thunderbird-1.5.0.7-0.1.el4.centos4.i386.rpm
CentOS4x86_64thunderbird< 1.5.0.7-0.1.el4.centos4thunderbird-1.5.0.7-0.1.el4.centos4.x86_64.rpm
CentOS4ia64thunderbird< 1.5.0.7-0.1.el4.centos4thunderbird-1.5.0.7-0.1.el4.centos4.ia64.rpm
CentOS4s390thunderbird< 1.5.0.7-0.1.el4.centos4thunderbird-1.5.0.7-0.1.el4.centos4.s390.rpm
CentOS4s390xthunderbird< 1.5.0.7-0.1.el4.centos4thunderbird-1.5.0.7-0.1.el4.centos4.s390x.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	4	i386	thunderbird	< 1.5.0.7-0.1.el4.centos4	thunderbird-1.5.0.7-0.1.el4.centos4.i386.rpm
CentOS	4	x86_64	thunderbird	< 1.5.0.7-0.1.el4.centos4	thunderbird-1.5.0.7-0.1.el4.centos4.x86_64.rpm
CentOS	4	ia64	thunderbird	< 1.5.0.7-0.1.el4.centos4	thunderbird-1.5.0.7-0.1.el4.centos4.ia64.rpm
CentOS	4	s390	thunderbird	< 1.5.0.7-0.1.el4.centos4	thunderbird-1.5.0.7-0.1.el4.centos4.s390.rpm
CentOS	4	s390x	thunderbird	< 1.5.0.7-0.1.el4.centos4	thunderbird-1.5.0.7-0.1.el4.centos4.s390x.rpm