Ubuntu Security Notice - Thunderbird vulnerabilities (USN-352-1)

Discussion in 'other security issues & news' started by NICK ADSL UK, Sep 25, 2006.

Thread Status:
Not open for further replies.
  1. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    Ubuntu Security Notice - Thunderbird vulnerabilities (USN-352-1)

    ===========================================================
    Ubuntu Security Notice USN-352-1 September 25, 2006
    mozilla-thunderbird vulnerabilities
    CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566,
    CVE-2006-4567, CVE-2006-4570, CVE-2006-4571
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu 6.06 LTS

    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.

    The problem can be corrected by upgrading your system to the
    following package versions:

    Ubuntu 6.06 LTS:
    mozilla-thunderbird 1.5.0.7-0ubuntu0.6.06

    After a standard system upgrade you need to restart Thunderbird to
    effect the necessary changes.

    Details follow:

    Various flaws have been reported that allow an attacker to execute
    arbitrary code with user privileges by tricking the user into opening
    a malicious email containing JavaScript. Please note that JavaScript
    is disabled by default for emails, and it is not recommended to enable
    it. (CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4571)

    The NSS library did not sufficiently check the padding of PKCS #1 v1.5
    signatures if the exponent of the public key is 3 (which is widely
    used for CAs). This could be exploited to forge valid signatures
    without the need of the secret key. (CVE-2006-4340)

    http://www.net-security.org/advisory.php?id=6742
     
Loading...
Thread Status:
Not open for further replies.