USN-431-1: Thunderbird vulnerabilities
7 March 2007
Thunderbird vulnerabilities
Releases
Details
The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges. (CVE-2007-0008)
The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
certificate. A remote attacker could exploit this to execute arbitrary
code in a server application that uses the NSS library. (CVE-2007-0009)
Various flaws have been reported that could allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening a
malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 6.10
-
mozilla-thunderbird
-
1.5.0.10-0ubuntu0.6.10
Ubuntu 6.06
-
mozilla-thunderbird
-
1.5.0.10-0ubuntu0.6.06
Ubuntu 5.10
-
mozilla-thunderbird
-
1.5.0.10-0ubuntu0.5.10
After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.
Related notices
- USN-428-1: firefox, libnspr4, libnss3