USN-431-1: Thunderbird vulnerabilities

7 March 2007

mozilla-thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.10
  • Ubuntu 6.06 LTS
  • Ubuntu 5.10

Software Description

Details

The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user’s privileges. (CVE-2007-0008)

The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. (CVE-2007-0009)

Various flaws have been reported that could allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.10
mozilla-thunderbird - 1.5.0.10-0ubuntu0.6.10
Ubuntu 6.06 LTS
mozilla-thunderbird - 1.5.0.10-0ubuntu0.6.06
Ubuntu 5.10
mozilla-thunderbird - 1.5.0.10-0ubuntu0.5.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Thunderbird to effect the necessary changes.

References