LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 31st, 2014
Linux Security Week: October 27th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Fedora Core 4 Update: thunderbird-1.0.6-1.1.fc4 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Fedora Fix various security related bugs.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-606
2005-07-20
---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : thunderbird
Version     : 1.0.6                      
Release     : 1.1.fc4                  
Summary     : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

---------------------------------------------------------------------
Update Information:

Mozilla Thunderbird is a standalone mail and newsgroup client.

A bug was found in the way Thunderbird handled anonymous functions during
regular expression string replacement. It is possible for a malicious HTML
mail to capture a random block of client memory. The Common
Vulnerabilities and Exposures project has assigned this bug the name
CAN-2005-0989.

A bug was found in the way Thunderbird validated several XPInstall related
JavaScript objects. A malicious HTML mail could pass other objects to the
XPInstall objects, resulting in the JavaScript interpreter jumping to
arbitrary locations in memory. (CAN-2005-1159)

A bug was found in the way the Thunderbird privileged UI code handled DOM
nodes from the content window. An HTML message could install malicious
JavaScript code or steal data when a user performs commonplace actions such
as clicking a link or opening the context menu. (CAN-2005-1160)

A bug was found in the way Thunderbird executed JavaScript code. JavaScript
executed from HTML mail should run with a restricted access level,
preventing dangerous actions. It is possible that a malicious HTML mail
could execute JavaScript code with elevated privileges, allowing access to
protected data and functions. (CAN-2005-1532)

A bug was found in the way Thunderbird executed Javascript in XBL controls.
It is possible for a malicious HTML mail to leverage this vulnerability to
execute other JavaScript based attacks even when JavaScript is disabled.
(CAN-2005-2261)

A bug was found in the way Thunderbird handled certain Javascript
functions. It is possible for a malicious HTML mail to crash the client by
executing malformed Javascript code. (CAN-2005-2265)

A bug was found in the way Thunderbird handled child frames. It is possible
for a malicious framed HTML mail to steal sensitive information from its
parent frame. (CAN-2005-2266)

A bug was found in the way Thunderbird handled DOM node names. It is
possible for a malicious HTML mail to overwrite a DOM node name, allowing
certain privileged chrome actions to execute the malicious JavaScript.
(CAN-2005-2269)

A bug was found in the way Thunderbird cloned base objects. It is possible
for HTML content to navigate up the prototype chain to gain access to
privileged chrome objects. (CAN-2005-2270)

Users of Thunderbird are advised to upgrade to this updated package that
contains Thunderbird version 1.0.6 and is not vulnerable to these issues. 
---------------------------------------------------------------------
* Wed Jul 20 2005 Christopher Aillon  1.0.6-1.1.fc4
- Update to 1.0.6

* Mon Jul 18 2005 Christopher Aillon  1.0.6-0.1.fc4
- 1.0.6 Release Candidate


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

51f614a0a887ffb58ce6bbf4f4eb7431  SRPMS/thunderbird-1.0.6-1.1.fc4.src.rpm
fc206b1fd0dccb15da66b2fe3b272175  ppc/thunderbird-1.0.6-1.1.fc4.ppc.rpm
0b94083b2f2415f84069e30c20742ec1  ppc/debug/thunderbird-debuginfo-1.0.6-1.1.fc4.ppc.rpm
38da7902f6e1bcfc45ef688e04a770e8  x86_64/thunderbird-1.0.6-1.1.fc4.x86_64.rpm
1a6bbee24e0559176e19ba1218d91e02  x86_64/debug/thunderbird-debuginfo-1.0.6-1.1.fc4.x86_64.rpm
f858562b2d77180acb6d40022fe1c3cd  i386/thunderbird-1.0.6-1.1.fc4.i386.rpm
90cba454ded9c8d4e049262abdea64d2  i386/debug/thunderbird-debuginfo-1.0.6-1.1.fc4.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.