Ubuntu Security Notice - Thunderbird vulnerabilities (USN-352-1)

Ubuntu Security Notice - Thunderbird vulnerabilities (USN-352-1)

===========================================================
Ubuntu Security Notice USN-352-1 September 25, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566,
CVE-2006-4567, CVE-2006-4570, CVE-2006-4571
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
mozilla-thunderbird 1.5.0.7-0ubuntu0.6.06

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious email containing JavaScript. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable
it. (CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4571)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

http://www.net-security.org/advisory.php?id=6742