=========================================================== Ubuntu Security Notice USN-782-1 June 25, 2009 thunderbird vulnerabilities CVE-2009-1303, CVE-2009-1305, CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309, CVE-2009-1392, CVE-2009-1833, CVE-2009-1836, CVE-2009-1838, CVE-2009-1841 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1 Ubuntu 9.04: thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: Several flaws were discovered in the JavaScript engine of Thunderbird. If a user had JavaScript enabled and were tricked into viewing malicious web content, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1303, CVE-2009-1305, CVE-2009-1392, CVE-2009-1833, CVE-2009-1838) Several flaws were discovered in the way Thunderbird processed malformed URI schemes. If a user were tricked into viewing a malicious website and had JavaScript and plugins enabled, a remote attacker could execute arbitrary JavaScript or steal private data. (CVE-2009-1306, CVE-2009-1307, CVE-2009-1309) Cefn Hoile discovered Thunderbird did not adequately protect against embedded third-party stylesheets. If JavaScript were enabled, an attacker could exploit this to perform script injection attacks using XBL bindings. (CVE-2009-1308) Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that Thunderbird did not properly handle error responses when connecting to a proxy server. If a user had JavaScript enabled while using Thunderbird to view websites and a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2009-1836) It was discovered that Thunderbird could be made to run scripts with elevated privileges. If a user had JavaScript enabled while having certain non-default add-ons installed and were tricked into viewing a malicious website, an attacker could cause a chrome privileged object, such as the browser sidebar, to run arbitrary code via interactions with the attacker controlled website. (CVE-2009-1841) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 129375 50f163cb84ce93993d4e3a7b2f11ef64 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2368 8038ba3ba27520e380f39b989a57130c http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 60564 63b6eee61fce05ac62c1735b99580458 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5: 60550 98653777b440983e0a5d8764d42a0cea amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 3783728 842547585887a63ca7dc6e4fdf1984b3 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 85448 0697d17c399e80f613775dae2a6490d5 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb Size/MD5: 12412834 2c41d864fb6889e149c2c39a61717e4f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 3770530 e3ede36cc0599b0586d47f637879db44 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 80840 0658a9fad40b9678fc7c37a06bf9aec6 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb Size/MD5: 10982636 4cd6e3b52bb41302f4fab065dfdbb6f9 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 3768330 277a47cf856821877f6a7f903c16095c http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 80576 781b6b72a98046251ebcc69e29a07f1a http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb Size/MD5: 10829794 b38988dbaa2e055ce2167ca7c3ede57d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 3787538 30525ea17b19ca6a3037510521fa62d2 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 83848 45727a77365efa4979e02e8421a2c75d http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 12255960 eba7111f498e268fd316d3b10243c58e sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb Size/MD5: 3768722 2b2e0ac937b14f1718a2b03e6e8f8a4e http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb Size/MD5: 80296 bc51f99b9c9ccba11af3c233581a51df http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb Size/MD5: 11257500 93fd35a33bf02271c9c1d0c42159f2e3 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1.diff.gz Size/MD5: 130171 fffd1290f2a94ea1af6e09aae28a45b3 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1.dsc Size/MD5: 2350 ed418b42a976a5b90236858b3c0ab4e3 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 60872 c208ef55c11bb1415c38eac776712a8c http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_all.deb Size/MD5: 60860 f968fe3507cdbabe971dae4145240d79 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 3737230 9b97e87156258d87953df9e6889c9a17 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 85616 fc687f588f4c2749bbe0800699fe0f3d http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb Size/MD5: 12439672 2af5289f2761ba39bbc4c965407347f0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 3721796 75c2d7d1e1729b402971ebfc3ba83319 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 81208 6c827e62a1b407b2e9e96821bfc547b5 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb Size/MD5: 11044694 6dd9d9f06e06c6fb57869837e0566f5a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 3718302 9c07e471cd961e2ec86a9d3125f49eed http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 80918 0051146fc0ea1aef32c69a1aad623b61 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb Size/MD5: 10866146 59641fc3c2e8d571c24a70a6314d6b39 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 3736442 0b810be2b1d3b694d8c70827defa624b http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 84084 3ede09a9a37de7c8a7f4044ff23aca64 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb Size/MD5: 12217834 fee3c22defa9a1d25c87ea2e7364bd5a sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 3724330 67c1ea90443b28a318c09db29b2166bf http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 80926 f27dafba64ee8bee5a95c5a0ed46cf47 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb Size/MD5: 11193104 d2b4ed46e5b2852177f34a58bca294b7 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1.diff.gz Size/MD5: 131710 8e09ef4040310a7210d044d883b2d0c8 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1.dsc Size/MD5: 2350 cccc236d2e73384d0676e321d6aad10d http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_all.deb Size/MD5: 61254 f1dc248f2e11b00e25112d6662aa11d4 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_all.deb Size/MD5: 61244 6ce3e8cd57e5af79261006a99d598934 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb Size/MD5: 3737488 8c17faee20cdb33cfca540818f62612d http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb Size/MD5: 85966 b2b4d31d20b9d204147e09d234fcb052 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb Size/MD5: 12440604 241c0db68fe894a68f9b05f6bdf72c00 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb Size/MD5: 3722372 675b0a247e184abe0a6045b6709a1f29 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb Size/MD5: 81624 ece46402338cef56dfc45f9cba30f819 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb Size/MD5: 11046758 f0e857e8a54259ee33869904f49d22a0 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb Size/MD5: 3718718 04d49b21a51e00ba9c59dbe9c4d6c6eb http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb Size/MD5: 81346 578d2de932e11e2227d424aa0e209d37 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb Size/MD5: 10866580 a885ed7a9dd993ff857f076a22c1493c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb Size/MD5: 3736688 950f25db3b3f0f2bf1bd744379915eba http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb Size/MD5: 84464 3e50b5d4dd0cd869830c7785bbe38eb9 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb Size/MD5: 12218566 3d25deedfb55e218320e8a3f378b6bf8 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb Size/MD5: 3724916 f925b4c5b5d3ff19525c6a650bc1ec8d http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb Size/MD5: 81232 ea70b7b8c8670f1797e73267f2e42540 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb Size/MD5: 11191552 dd69cd928c72ee2f6d45955cebaf8d7f
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/