Lucene search

K
centosCentOS ProjectCESA-2007:1083
HistoryDec 21, 2007 - 4:34 p.m.

thunderbird security update

2007-12-2116:34:10
CentOS Project
lists.centos.org
38

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.945 High

EPSS

Percentile

99.2%

CentOS Errata and Security Advisory CESA-2007:1083

Mozilla Thunderbird is a standalone mail and newsgroup client.

A cross-site scripting flaw was found in the way Thunderbird handled the
jar: URI scheme. It may be possible for a malicious HTML mail message to
leverage this flaw, and conduct a cross-site scripting attack against a
user running Thunderbird. (CVE-2007-5947)

Several flaws were found in the way Thunderbird processed certain malformed
HTML mail content. A HTML mail message containing malicious content could
cause Thunderbird to crash, or potentially execute arbitrary code as the
user running Thunderbird. (CVE-2007-5959)

A race condition existed when Thunderbird set the “window.location”
property when displaying HTML mail content. This flaw could allow a HTML
mail message to set an arbitrary Referer header, which may lead to a
Cross-site Request Forgery (CSRF) attack against websites that rely only on
the Referer header for protection. (CVE-2007-5960)

All users of thunderbird are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-December/076709.html
https://lists.centos.org/pipermail/centos-announce/2007-December/076710.html
https://lists.centos.org/pipermail/centos-announce/2007-December/076714.html
https://lists.centos.org/pipermail/centos-announce/2007-December/076716.html
https://lists.centos.org/pipermail/centos-announce/2007-December/076719.html
https://lists.centos.org/pipermail/centos-announce/2007-December/076720.html

Affected packages:
thunderbird

Upstream details at:
https://access.redhat.com/errata/RHSA-2007:1083

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.945 High

EPSS

Percentile

99.2%