Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Mozilla Thunderbird
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Mozilla Thunderbird
ID: USN-2010-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.04, Ubuntu 13.10
Datum: Fr, 1. November 2013, 06:45
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5596
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5604
Applikationen: Mozilla Thunderbird

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3251134752604509782==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="XhaJQfCPbSDqMsR7NLHEM3ahtxapvwlKO"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--XhaJQfCPbSDqMsR7NLHEM3ahtxapvwlKO
Content-Type: text/plain; charset=ISO-8859-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2010-1
October 31, 2013

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple memory safety issues were discovered in Thunderbird. If a user
were tricked in to opening a specially crafted message with scripting
enabled, an attacker could possibly exploit these to cause a denial of
service via application crash, or potentially execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2013-1739,
CVE-2013-5590, CVE-2013-5591)

Jordi Chancel discovered that HTML select elements could display arbitrary
content. If a user had scripting enabled, an attacker could potentially
exploit this to conduct URL spoofing or clickjacking attacks.
(CVE-2013-5593)

Abhishek Arya discovered a crash when processing XSLT data in some
circumstances. If a user had scripting enabled, an attacker could
potentially exploit this to execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2013-5604)

Dan Gohman discovered a flaw in the Javascript engine. If a user had
enabled scripting, when combined with other vulnerabilities an attacker
could possibly exploit this to execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2013-5595)

Ezra Pool discovered a crash on extremely large pages. If a user had
scripting enabled, an attacker could potentially exploit this to execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2013-5596)

Byoungyoung Lee discovered a use-after-free when updating the offline
cache. If a user had scripting enabled, an attacker could potentially
exploit this to cause a denial of service via application crash or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2013-5597)

Multiple use-after-free flaws were discovered in Thunderbird. If a user
had scripting enabled, an attacker could potentially exploit these to
cause a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2013-5599,
CVE-2013-5600, CVE-2013-5601)

A memory corruption flaw was discovered in the Javascript engine when
using workers with direct proxies. If a user had scripting enabled, an
attacker could potentially exploit this to cause a denial of service
via application crash or execute arbitrary code with the privileges of
the user invoking Thunderbird. (CVE-2013-5602)

Abhishek Arya discovered a use-after-free when interacting with HTML
document templates. If a user had scripting enabled, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2013-5603)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
  thunderbird                     1:24.1.0+build1-0ubuntu0.13.10.1

Ubuntu 13.04:
  thunderbird                     1:24.1.0+build1-0ubuntu0.13.04.1

Ubuntu 12.10:
  thunderbird                     1:24.1.0+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
  thunderbird                     1:24.1.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2010-1
  CVE-2013-1739, CVE-2013-5590, CVE-2013-5591, CVE-2013-5593,
  CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5599,
  CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603,
  CVE-2013-5604, https://launchpad.net/bugs/1245422

Package Information:
  https://launchpad.net/ubuntu/+source/thunderbird/1:24.1.0+build1-0ubuntu0.13.10.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:24.1.0+build1-0ubuntu0.13.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:24.1.0+build1-0ubuntu0.12.10.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:24.1.0+build1-0ubuntu0.12.04.1



--XhaJQfCPbSDqMsR7NLHEM3ahtxapvwlKO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird-Trunk - http://www.enigmail.net/

iQEcBAEBAgAGBQJSclJ4AAoJEGEfvezVlG4P5okH/3zBS3MWiK4cjQ7Jc6ilIsPG
3xwe5vw1biaAJOqCzxrxJavHMnTbKhWxjZqgGYju2fzKDPC3i2455uTX+iLnc5Nq
ZB8SZXO+b0wl5a8/QkWmwq3xb1eUFQhONXwDCa6ptDwjE/BmDMO9P2zhzFygQ4s2
dg87WER0hKODK/scYJwG/EEvocs+ErD4Mvl/fNs3/tk0CAGE3yVbaBbrfFGu65GN
XGjE+wDaP8OXEr5mJICbXXysMQlpoYglnPhpwf8eH/rffeTQvnBvlwd8ictc/Tik
FD1DdcLAZqklBrmwKvokbEkgeYl5/a0/swSVbqv0bLseLwH0sXDqno6tPSI2Q0c=
=+svJ
-----END PGP SIGNATURE-----

--XhaJQfCPbSDqMsR7NLHEM3ahtxapvwlKO--


--===============3251134752604509782==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============3251134752604509782==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung