[SECURITY] Fedora 8 Update: thunderbird-2.0.0.9-1.fc8

updates at fedoraproject.org updates at fedoraproject.org
Fri Nov 16 00:39:02 UTC 2007 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-3414
2007-11-16 00:38:35.475568
--------------------------------------------------------------------------------

Name        : thunderbird
Product     : Fedora 8
Version     : 2.0.0.9
Release     : 1.fc8
URL         : http://www.mozilla.org/projects/thunderbird/
Summary     : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

--------------------------------------------------------------------------------
Update Information:

Updated thunderbird packages that fix several security bugs are now available for Fedora Core 8.

This update has been rated as having moderate security impact by the Fedora Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way in which Thunderbird processed certain malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)

Several flaws were found in the way in which Thunderbird displayed malformed HTML mail content. An HTML mail message containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)

A flaw was found in the Thunderbird sftp protocol handler. A malicious HTML mail message could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337)

A request-splitting flaw was found in the way in which Thunderbird generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292)

Users of Thunderbird are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.

--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 15 2007 Christopher Aillon <caillon at redhat.com> 2.0.0.9-1
- Update to 2.0.0.9
--------------------------------------------------------------------------------
Updated packages:

824dbe355c39b89c05d952ad3d8b3972c23e692e thunderbird-2.0.0.9-1.fc8.ppc64.rpm
3b66cac2191917508966f7395adfdfb7bdfed0ec thunderbird-debuginfo-2.0.0.9-1.fc8.ppc64.rpm
7ee2a76490dd2d94e8b9b7caa0d8468c05e80b6e thunderbird-2.0.0.9-1.fc8.i386.rpm
510b858233a4a130066ea5bdacec964a7541779c thunderbird-debuginfo-2.0.0.9-1.fc8.i386.rpm
af51df238e7a1dcfc20ad7a9063d5ecbe10c77ef thunderbird-2.0.0.9-1.fc8.x86_64.rpm
002be992c0574a9adaea3388c33327013a3e8e48 thunderbird-debuginfo-2.0.0.9-1.fc8.x86_64.rpm
db67fb840815ebd52a311552e4dfb9bf86d9e1b0 thunderbird-debuginfo-2.0.0.9-1.fc8.ppc.rpm
2c4f243d7b19a522633d49ba858626ba4298b69a thunderbird-2.0.0.9-1.fc8.ppc.rpm
9fd56cd9942bcc109eb29ba2f7505783000bc3e0 thunderbird-2.0.0.9-1.fc8.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update thunderbird' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------

More information about the Fedora-package-announce mailing list