Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
centosCentOS ProjectCESA-2012:0080
HistoryFeb 01, 2012 - 11:56 a.m.

thunderbird security update

2012-02-0111:56:07
CentOS Project
lists.centos.org
51

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.914 High

EPSS

Percentile

98.9%

JSON

CentOS Errata and Security Advisory CESA-2012:0080

Mozilla Thunderbird is a standalone mail and newsgroup client.

A use-after-free flaw was found in the way Thunderbird removed
nsDOMAttribute child nodes. In certain circumstances, due to the premature
notification of AttributeChildRemoved, a malicious script could possibly
use this flaw to cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2011-3659)

Several flaws were found in the processing of malformed content. An HTML
mail message containing malicious content could cause Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running Thunderbird. (CVE-2012-0442)

A flaw was found in the way Thunderbird parsed certain Scalable Vector
Graphics (SVG) image files that contained eXtensible Style Sheet Language
Transformations (XSLT). An HTML mail message containing a malicious SVG
image file could cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2012-0449)

The same-origin policy in Thunderbird treated http://example.com and
http://[example.com] as interchangeable. A malicious script could possibly
use this flaw to gain access to sensitive information (such as a client’s
IP and user e-mail address, or httpOnly cookies) that may be included in
HTTP proxy error replies, generated in response to invalid URLs using
square brackets. (CVE-2011-3670)

Note: The CVE-2011-3659 and CVE-2011-3670 issues cannot be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. It could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 3.1.18. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to these updated packages, which
contain Thunderbird version 3.1.18, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2012-February/080568.html

Affected packages:
thunderbird

Upstream details at:
https://access.redhat.com/errata/RHSA-2012:0080

OSVersionArchitecturePackageVersionFilename
CentOS6i686thunderbird< 3.1.18-1.el6.centosthunderbird-3.1.18-1.el6.centos.i686.rpm
CentOS6x86_64thunderbird< 3.1.18-1.el6.centosthunderbird-3.1.18-1.el6.centos.x86_64.rpm

Related

openvas 65
nessus 56
oraclelinux 4
redhat 4
suse 4
centos 3
ubuntu 6
debian 3
osv 3
freebsd 1
securityvulns 6
saint 4
veracode 4
cve 4
prion 4
ubuntucve 4
mozilla 4
packetstorm 1
zdi 1
kitploit 1
gentoo 1
openvas
openvas
CentOS Update for thunderbird CESA-2012:0080 centos6
2012-07-30 00:00:00
RedHat Update for thunderbird RHSA-2012:0080-01
2012-07-09 00:00:00
CentOS Update for thunderbird CESA-2012:0080 centos6
2012-07-30 00:00:00
nessus
nessus
CentOS 6 : thunderbird (CESA-2012:0080)
2012-02-02 00:00:00
Oracle Linux 6 : thunderbird (ELSA-2012-0080)
2013-07-12 00:00:00
RHEL 6 : thunderbird (RHSA-2012:0080)
2012-02-01 00:00:00
oraclelinux
oraclelinux
thunderbird security update
2012-01-31 00:00:00
firefox security update
2012-01-31 00:00:00
seamonkey security update
2012-02-01 00:00:00
redhat
redhat
(RHSA-2012:0080) Critical: thunderbird security update
2012-01-31 00:00:00
(RHSA-2012:0079) Critical: firefox security update
2012-01-31 00:00:00
(RHSA-2012:0085) Critical: thunderbird security update
2012-02-01 00:00:00
suse
suse
Security update for Mozilla Firefox (important)
2012-02-09 19:10:22
Security update for Mozilla XULrunner (important)
2012-02-09 19:07:25
MozillaFirefox: Version 10 (important)
2012-02-09 19:10:49
centos
centos
firefox, xulrunner security update
2012-02-01 03:34:27
thunderbird security update
2012-02-01 12:31:49
seamonkey security update
2012-02-01 12:34:44
ubuntu
ubuntu
Xulrunnner vulnerabilities
2012-02-08 00:00:00
Thunderbird vulnerabilities
2012-02-08 00:00:00
Firefox vulnerabilities
2012-02-03 00:00:00
debian
debian
[SECURITY] [DSA 2400-1] iceweasel security update
2012-02-02 19:52:15
[SECURITY] [DSA 2402-1] iceape security update
2012-02-02 19:53:30
[SECURITY] [DSA 2406-1] icedove security update
2012-02-09 12:07:23
osv
osv
iceape - several
2012-02-02 00:00:00
icedove - several
2012-02-09 00:00:00
iceweasel - several
2012-02-02 00:00:00
freebsd
freebsd
mozilla -- multiple vulnerabilities
2012-01-31 00:00:00
securityvulns
securityvulns
Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities
2012-02-03 00:00:00
Mozilla Foundation Security Advisory 2012-04
2012-02-03 00:00:00
Mozilla Foundation Security Advisory 2012-02
2012-02-03 00:00:00
saint
saint
Firefox AttributeChildRemoved Use After Free
2012-05-21 00:00:00
Firefox AttributeChildRemoved Use After Free
2012-05-21 00:00:00
Firefox AttributeChildRemoved Use After Free
2012-05-21 00:00:00
veracode
veracode
Arbitrary Code Execution
2020-04-10 01:07:17
Information Disclosure
2020-04-10 01:07:18
Arbitrary Code Execution
2020-04-10 01:07:21
cve
cve
CVE-2011-3659
2012-02-01 16:55:00
CVE-2011-3670
2012-02-01 16:55:00
CVE-2012-0449
2012-02-01 16:55:00
prion
prion
Design/Logic Flaw
2012-02-01 16:55:00
Memory corruption
2012-02-01 16:55:00
Information disclosure
2012-02-01 16:55:00
ubuntucve
ubuntucve
CVE-2011-3659
2012-02-01 00:00:00
CVE-2011-3670
2012-02-01 00:00:00
CVE-2012-0449
2012-02-01 00:00:00
mozilla
mozilla
Overly permissive IPv6 literal syntax — Mozilla
2012-01-31 00:00:00
Crash with malformed embedded XSLT stylesheets — Mozilla
2012-01-31 00:00:00
Child nodes from nsDOMAttribute still accessible after removal of nodes — Mozilla
2012-01-31 00:00:00
packetstorm
packetstorm
Firefox 8/9 AttributeChildRemoved() Use-After-Free
2012-05-14 00:00:00
zdi
zdi
Mozilla Firefox AttributeChildRemoved Use-After-Free Remote Code Execution Vulnerability
2012-06-28 00:00:00
kitploit
kitploit
Radamsa - A General-Purpose Fuzzer
2024-03-25 11:30:00
gentoo
gentoo
Mozilla Products: Multiple vulnerabilities
2013-01-08 00:00:00

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.914 High

EPSS

Percentile

98.9%

JSON
Related for CESA-2012:0080
openvas65nessus56oraclelinux4redhat4suse4centos3ubuntu6debian3osv3freebsd1securityvulns6saint4veracode4cve4prion4ubuntucve4mozilla4packetstorm1zdi1kitploit1gentoo1