9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.965 High
EPSS
Percentile
99.6%
CentOS Errata and Security Advisory CESA-2007:0981
Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the way in which Thunderbird processed certain
malformed HTML mail content. An HTML mail message containing malicious
content could cause Thunderbird to crash or potentially execute arbitrary
code as the user running Thunderbird. JavaScript support is disabled by
default in Thunderbird; these issues are not exploitable unless the user
has enabled JavaScript. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)
Several flaws were found in the way in which Thunderbird displayed
malformed HTML mail content. An HTML mail message containing
specially-crafted content could potentially trick a user into surrendering
sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511,
CVE-2007-5334)
A flaw was found in the Thunderbird sftp protocol handler. A malicious HTML
mail message could access data from a remote sftp site, possibly stealing
sensitive user data. (CVE-2007-5337)
A request-splitting flaw was found in the way in which Thunderbird
generates a digest authentication request. If a user opened a
specially-crafted URL, it was possible to perform cross-site scripting
attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292)
Users of Thunderbird are advised to upgrade to these erratum packages,
which contain backported patches that correct these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-October/076469.html
https://lists.centos.org/pipermail/centos-announce/2007-October/076470.html
https://lists.centos.org/pipermail/centos-announce/2007-October/076476.html
https://lists.centos.org/pipermail/centos-announce/2007-October/076477.html
https://lists.centos.org/pipermail/centos-announce/2007-October/076481.html
https://lists.centos.org/pipermail/centos-announce/2007-October/076490.html
Affected packages:
thunderbird
Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0981
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 5 | i386 | thunderbird | < 1.5.0.12-5.el5.centos | thunderbird-1.5.0.12-5.el5.centos.i386.rpm |
CentOS | 5 | x86_64 | thunderbird | < 1.5.0.12-5.el5.centos | thunderbird-1.5.0.12-5.el5.centos.x86_64.rpm |
CentOS | 4 | x86_64 | thunderbird | < 1.5.0.12-0.5.el4.centos | thunderbird-1.5.0.12-0.5.el4.centos.x86_64.rpm |
CentOS | 4 | i386 | thunderbird | < 1.5.0.12-0.5.el4.centos | thunderbird-1.5.0.12-0.5.el4.centos.i386.rpm |
CentOS | 4 | ia64 | thunderbird | < 1.5.0.12-0.5.el4.centos | thunderbird-1.5.0.12-0.5.el4.centos.ia64.rpm |
CentOS | 4 | s390 | thunderbird | < 1.5.0.12-0.5.el4.centos | thunderbird-1.5.0.12-0.5.el4.centos.s390.rpm |
CentOS | 4 | s390x | thunderbird | < 1.5.0.12-0.5.el4.centos | thunderbird-1.5.0.12-0.5.el4.centos.s390x.rpm |