USN-431-1: Thunderbird vulnerabilities

07 March 2007

Thunderbird vulnerabilities

Releases

Details

The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges. (CVE-2007-0008)

The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
certificate. A remote attacker could exploit this to execute arbitrary
code in a server application that uses the NSS library. (CVE-2007-0009)

Various flaws have been reported that could allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening a
malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.10
  • mozilla-thunderbird - 1.5.0.10-0ubuntu0.6.10
Ubuntu 6.06
  • mozilla-thunderbird - 1.5.0.10-0ubuntu0.6.06
Ubuntu 5.10
  • mozilla-thunderbird - 1.5.0.10-0ubuntu0.5.10

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.