Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: b06-4824.htm

Thunderbird vulnerabilities
Thunderbird vulnerabilities
Thunderbird vulnerabilities

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Ubuntu Security Notice USN-350-1         September 21, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804,
CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809,
CVE-2006-3810, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253,
CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567,
CVE-2006-4570, CVE-2006-4571
A security issue affects the following Ubuntu releases:

Ubuntu 5.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  mozilla-thunderbird-locale-ca            1.5-ubuntu5.10
  mozilla-thunderbird-locale-de            1.5-ubuntu5.10
  mozilla-thunderbird-locale-fr            1.5-ubuntu5.10
  mozilla-thunderbird-locale-it            1.5-ubuntu5.10
  mozilla-thunderbird-locale-nl            1.5-ubuntu5.10
  mozilla-thunderbird-locale-pl            1.5-ubuntu5.10
  mozilla-thunderbird-locale-uk            1.5-ubuntu5.10
  mozilla-thunderbird-enigmail             2:0.94-0ubuntu0.5.10

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Please note that Thunderbird 1.0.8 in Ubuntu 5.04 is also affected by
these problems. An update will be provided shortly.

Details follow:

This update upgrades Thunderbird from 1.0.8 to This step was
necessary since the 1.0.x series is not supported by upstream any

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious email containing JavaScript. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable
it. (CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805,
CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810,
CVE-2006-3811, CVE-2006-3812, CVE-2006-4253, CVE-2006-4565,
CVE-2006-4566, CVE-2006-4571)

A buffer overflow has been discovered in the handling of .vcard files.
By tricking a user into importing a malicious vcard into his contacts,
this could be exploited to execute arbitrary code with the user's
privileges.  (CVE-2006-3804)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

Jon Oberheide reported a way how a remote attacker could trick users
into downloading arbitrary extensions with circumventing the normal
SSL certificate check. The attacker would have to be in a position to
spoof the victim's DNS, causing them to connect to sites of the
attacker's choosing rather than the sites intended by the victim. If
they gained that control and the victim accepted the attacker's cert
for the Mozilla update site, then the next update check could be
hijacked and redirected to the attacker's site without detection.

Georgi Guninski discovered that even with JavaScript disabled, a
malicous email could still execute JavaScript when the message is
viewed, replied to, or forwarded by putting the script in a remote XBL
file loaded by the message. (CVE-2006-4570)

The "enigmail" plugin and the translation packages have been updated
to work with the new Thunderbird version.

Updated packages for Ubuntu 5.10:

  Source archives: 
      Size/MD5:   451765 f226c2d1fb27ff7d1901563c0e7ae6aa 
      Size/MD5:      960 33f4c6cf8f964b3bbf0cb7bf2a9b3a41 
      Size/MD5: 35412353 4e43a174c53adf09382a4f959b86abe6 
      Size/MD5:    20864 3aee73c8c9d639372dc3f28a5f145324 
      Size/MD5:      785 25206240fb199da5bbb5ab080600b0d5 
      Size/MD5:  3126659 7e34cbe51f5a1faca2e26fa0edfd6a06 
      Size/MD5:      598 1d99f1f9e4dee5e65e3783a5f97dd263 
      Size/MD5:   194758 ef06a28aee74c384480bc0ab4b4b884c 
      Size/MD5:      596 4fa9a37540021ec258720b4870bb96d7 
      Size/MD5:   169713 7c1002115108c1ed63d270a8d679b039 
      Size/MD5:      599 ef565a49f01984cf671542e909fc9585 
      Size/MD5:   204062 8a1ef43eccb78e45895bd1bff458d0fe 
      Size/MD5:      601 90e8f323e3bc9a5f46c4a97a509cfc93 
      Size/MD5:   158517 cddf397975e97c0dbd7152f387655303 
      Size/MD5:      596 b4d740d0e33dde12c978b8f7385f690d 
      Size/MD5:   195416 fc5bc7dc7388131564bdbbd16ab10b93 
      Size/MD5:      632 de741d572f4ab22f99793aa3cfbe20e3 
      Size/MD5:   192583 5cf008def5286ed0054a0a5015607cf7 
      Size/MD5:      589 330958f8cb291d10cdc0196768233ad0 
      Size/MD5:    11499 dd66aaa9efadb412e3122657a2da25fa

  Architecture independent packages: 
      Size/MD5:   189666 473e996d047d43f6dd7bec92d53cfa03 
      Size/MD5:   167484 20623a5c44dc5b2196da99eed084b8b8 
      Size/MD5:   197384 6a49d6b1d63c6fbf5a5ba552916d933a 
      Size/MD5:   153016 c1e4f810878dfb4ea7a98422e566bab7 
      Size/MD5:   195206 a2b2c8189f2bdbd52ba207e467404e18 
      Size/MD5:   186030 4d1c2103ee676e569c0feb553161107c 
      Size/MD5:    11860 088e396b7bc681bbf773232e1fc62b7d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon) 
      Size/MD5:  3523522 a76de9534e4f7062f6ca1089ba190b95 
      Size/MD5:   190306 74bda8f95e40506db2eb9522ff5a0aad 
      Size/MD5:    55528 5bba85b882ef03b8d6abf6a30ee87581 
      Size/MD5: 11976232 2d6fd4f9dfc0f141d9deb7321d8c3d4f 
      Size/MD5:   334962 a958117e8d86e698a1e0486169086c96

  i386 architecture (x86 compatible Intel/AMD) 
      Size/MD5:  3516366 c0f3feae48b1c6aa62f3423279be2725 
      Size/MD5:   183652 664776fcb3fcc35bb58e7edbc3a5492b 
      Size/MD5:    51154 d35f0c9b0ad24a3ecb16c3ce29cd5427 
      Size/MD5: 10282110 16ef30b246a84f1872129c6ecd9d0a75 
      Size/MD5:   322874 fdfb2bb51b8b360734169d9a6362bfb7

  powerpc architecture (Apple Macintosh G3/G4/G5) 
      Size/MD5:  3520948 5d6db52b3aa4ea827dae5d2d1d42ade1 
      Size/MD5:   187002 2998ab2a9287273f9b80ad7ce9ba5829 
      Size/MD5:    54712 73da47232d65de50c846c0d287ccd4ca 
      Size/MD5: 11523006 c8d86889f60569a3d578241e63f89f11 
      Size/MD5:   326204 f25574cc20db03e78e0879b941a36600

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.3 (GNU/Linux)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH