[SECURITY] Fedora 7 Update: thunderbird-2.0.0.9-1.fc7
updates at fedoraproject.org
updates at fedoraproject.org
Fri Nov 16 00:41:37 UTC 2007
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-3431
2007-11-16 00:41:13.448056
--------------------------------------------------------------------------------
Name : thunderbird
Product : Fedora 7
Version : 2.0.0.9
Release : 1.fc7
URL : http://www.mozilla.org/projects/thunderbird/
Summary : Mozilla Thunderbird mail/newsgroup client
Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.
--------------------------------------------------------------------------------
Update Information:
Updated thunderbird packages that fix several security bugs are now available for Fedora Core 7.
This update has been rated as having moderate security impact by the Fedora Security Response Team.
Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the way in which Thunderbird processed certain malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)
Several flaws were found in the way in which Thunderbird displayed malformed HTML mail content. An HTML mail message containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)
A flaw was found in the Thunderbird sftp protocol handler. A malicious HTML mail message could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337)
A request-splitting flaw was found in the way in which Thunderbird generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292)
Users of Thunderbird are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Nov 15 2007 Christopher Aillon <caillon at redhat.com> 2.0.0.9-1
- Update to 2.0.0.9
* Wed Jul 25 2007 Martin Stransky <stransky at redhat.com> 2.0.0.5-2
- added ligature pango fix
* Fri Jul 20 2007 Kai Engert <kengert at redhat.com> - 2.0.0.5-1
- 2.0.0.5
* Fri Jun 15 2007 Christopher Aillon <caillon at redhat.com> 2.0.0.4-1
- 2.0.0.4
* Fri Jun 8 2007 Christopher Aillon <caillon at redhat.com> 2.0.0.4-0.rc1
- 2.0.0.4 rc1
--------------------------------------------------------------------------------
Updated packages:
7bb14b86dafeec69cf601052021e697362e95e2d thunderbird-debuginfo-2.0.0.9-1.fc7.ppc64.rpm
2443f00de62b39ca3c3ad2263ac29e327f6c7e7a thunderbird-2.0.0.9-1.fc7.ppc64.rpm
c475ecc57f82c36b80063319102b733f509a7023 thunderbird-debuginfo-2.0.0.9-1.fc7.i386.rpm
e70f1df09274e4d73f75ff1bff51b81fbc1ec4a7 thunderbird-2.0.0.9-1.fc7.i386.rpm
f3fe2a931beb160c87c342e4ce30278b506e2509 thunderbird-2.0.0.9-1.fc7.x86_64.rpm
da06571f6354e02a279e0f865ebd4072d0b64a0c thunderbird-debuginfo-2.0.0.9-1.fc7.x86_64.rpm
856939cfc3bbead10d211f37dfd9fb8ebcfc6bca thunderbird-2.0.0.9-1.fc7.ppc.rpm
b9a82af6dc6f2a619185ba61550e7d1412719c4b thunderbird-debuginfo-2.0.0.9-1.fc7.ppc.rpm
877f2a30eec4c894bfc9e2ba2be492a245af6b30 thunderbird-2.0.0.9-1.fc7.src.rpm
This update can be installed with the "yum" update program. Use
su -c 'yum update thunderbird'
at the command line. For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------
More information about the package-announce
mailing list