LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Thunderbird vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email containing JavaScript. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. The following CVEIDs have been addressed: CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4571, CVE-2006-4340, CVE-2006-4567, CVE-2006-4570
=========================================================== 
Ubuntu Security Notice USN-352-1         September 25, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566,
CVE-2006-4567, CVE-2006-4570, CVE-2006-4571
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mozilla-thunderbird                      1.5.0.7-0ubuntu0.6.06

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious email containing JavaScript. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable
it. (CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4571)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

Jon Oberheide reported a way how a remote attacker could trick users
into downloading arbitrary extensions with circumventing the normal
SSL certificate check. The attacker would have to be in a position to
spoof the victim's DNS, causing them to connect to sites of the
attacker's choosing rather than the sites intended by the victim. If
they gained that control and the victim accepted the attacker's cert
for the Mozilla update site, then the next update check could be
hijacked and redirected to the attacker's site without
detection.  (CVE-2006-4567)

Georgi Guninski discovered that even with JavaScript disabled, a
malicous email could still execute JavaScript when the message is
viewed, replied to, or forwarded by putting the script in a remote XBL
file loaded by the message. (CVE-2006-4570)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06.diff.gz
      Size/MD5:   454846 64c786b0c2886ff4a1cbb24fe4b76886
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06.dsc
      Size/MD5:      962 2560649686a20166450e44098142e80b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.7-0ubuntu0.6.06_amd64.deb
      Size/MD5:  3528618 27f6a9eec39470b434459d291cb1fbe7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.7-0ubuntu0.6.06_amd64.deb
      Size/MD5:   193760 86704efd60c8268803fc81d9b75e4342
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.7-0ubuntu0.6.06_amd64.deb
      Size/MD5:    59010 12f13e9662d7073cb7983acb4d7f42df
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06_amd64.deb
      Size/MD5: 11984618 4b1a19fe4c27ed9cd753674c0201e3d7

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.7-0ubuntu0.6.06_i386.deb
      Size/MD5:  3520394 ebda5194f4385d2349bbd8b43bc519e0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.7-0ubuntu0.6.06_i386.deb
      Size/MD5:   187130 cd3ff598ead2861320571a96aefb0eda
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.7-0ubuntu0.6.06_i386.deb
      Size/MD5:    54524 647bb673f71dadb2db6f8d7d1371f1ff
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06_i386.deb
      Size/MD5: 10282888 0e6e3b82d902623916747a4048e23c46

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.7-0ubuntu0.6.06_powerpc.deb
      Size/MD5:  3525354 cf51bead4b7313430956751fbb878d94
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.7-0ubuntu0.6.06_powerpc.deb
      Size/MD5:   190474 713a352b045073a5ed9e0f2d1c125ebf
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.7-0ubuntu0.6.06_powerpc.deb
      Size/MD5:    58132 e188bfb0240ab1ffe1eedb45ab8f7a65
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06_powerpc.deb
      Size/MD5: 11553840 cef4451a346cd1b7a8467952d37fb783

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.7-0ubuntu0.6.06_sparc.deb
      Size/MD5:  3521948 3d7b32c04d4423753e1bd6dfa2e8cb1d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.7-0ubuntu0.6.06_sparc.deb
      Size/MD5:   187916 346c9adfe5d44a87bd4efdec5a216f2f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.7-0ubuntu0.6.06_sparc.deb
      Size/MD5:    56012 549260b3328eb704f19299f36c1f177e
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.7-0ubuntu0.6.06_sparc.deb
      Size/MD5: 10753714 1e9426592ede9bd2c5364e5b6c2bb5da

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Today's Security Hacks Are After More Than Bank Info
How Boston Children's Hospital Hit Back at Anonymous
SNMP DDoS Scans Spoof Google Public DNS Server
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.