|
|
ESB-2007.0084 -- [Debian] -- New Mozilla Thunderbird packages fix several vulnerabilities |
|
Date: 08 February 2007 Original URL: http://www.auscert.org.au/render.html?cid=34&it=7259 References: AL-2006.0127 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0084 -- [Debian]
New Mozilla Thunderbird packages fix several vulnerabilities
8 February 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mozilla-thunderbird
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-6503 CVE-2006-6502 CVE-2006-6501
CVE-2006-6499 CVE-2006-6498 CVE-2006-6497
Ref: AL-2006.0127
Revision History: February 8 2007: Incorrectly tagged as a Firefox
release. Corrected to Thunderbird.
February 8 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1258-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 7th, 2007 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : mozilla-firefox
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-6497 CVE-2006-6498 CVE-2006-6499 CVE-2006-6501
CVE-2006-6502 CVE-2006-6503
CERT advisories: VU#263412 VU#405092 VU#427972 VU#428500 VU#447772 VU#606260
BugTraq ID : 21668
Debian Bug :
Several security related problems have been discovered in Mozilla and
derived products such as Mozilla Firefox. The Common Vulnerabilities
and Exposures project identifies the following vulnerabilities:
CVE-2006-6497
Several vulnerabilities in the layout engine allow remote
attackers to cause a denial of service and possibly permit them to
execute arbitrary code. [MFSA 2006-68]
CVE-2006-6498
Several vulnerabilities in the JavaScript engine allow remote
attackers to cause a denial of service and possibly permit them to
execute arbitrary code. [MFSA 2006-68]
CVE-2006-6499
A bug in the js_dtoa function allows remote attackers to cause a
denial of service. [MFSA 2006-68]
CVE-2006-6501
"shutdown" discovered a vulnerability that allows remote attackers
to gain privileges and install malicious code via the watch
JavaScript function. [MFSA 2006-70]
CVE-2006-6502
Steven Michaud discovered a programming bug that allows remote
attackers to cause a denial of service. [MFSA 2006-71]
CVE-2006-6503
"moz_bug_r_a4" reported that the src attribute of an IMG element
could be used to inject JavaScript code. [MFSA 2006-72]
For the stable distribution (sarge) these problems have been fixed in
version 1.0.2-2.sarge1.0.8e.2.
For the testing (etch) and unstable (sid) distribution these problems
have been fixed in version 1.5.0.9.dfsg1-1 of icedove.
We recommend that you upgrade your Mozilla Thunderbird and Icedove packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.dsc
Size/MD5 checksum: 1003 98589a4dcffac076c95e1d3aa3aebadf
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.diff.gz
Size/MD5 checksum: 565274 897aa9e909e426a86d23314b34979440
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz
Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_alpha.deb
Size/MD5 checksum: 12887452 7fae4782cf5821d6d95ccde5d6649ccb
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_alpha.deb
Size/MD5 checksum: 3519306 849e410705ca14e5f295b345083f70f0
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_alpha.deb
Size/MD5 checksum: 154092 e3018444e2cb9d14f95c79c77a854281
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_alpha.deb
Size/MD5 checksum: 35098 153cb6752ca559a48eda9f330137a11a
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_alpha.deb
Size/MD5 checksum: 91436 362b189e0b8020bc4a1d97c78e8d83ab
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_amd64.deb
Size/MD5 checksum: 12273698 114e74f8fa22b052605343d805363a0a
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_amd64.deb
Size/MD5 checksum: 3285226 00c01353f18b817960c1bb69e4d8184c
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_amd64.deb
Size/MD5 checksum: 152186 2699607eb92737a5b199642562dc245a
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_amd64.deb
Size/MD5 checksum: 34622 1884509c2052b9410bfcc2edc0889b4b
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_amd64.deb
Size/MD5 checksum: 90410 ae62e9342e916565d5c61e10f5726d6b
ARM architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_arm.deb
Size/MD5 checksum: 10353110 f16deab7a50d4825ed607e6e288f2fae
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_arm.deb
Size/MD5 checksum: 3277278 b6012b40deb470e8997a8a8b4bed63c3
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_arm.deb
Size/MD5 checksum: 144322 e9f1a4f97dcdc2500f11893df4a83090
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_arm.deb
Size/MD5 checksum: 34634 f6097688447e83bb89e32f43f02bbe76
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_arm.deb
Size/MD5 checksum: 82372 d548ef5e6c5168dea0ebcfd487bf538a
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_hppa.deb
Size/MD5 checksum: 13585836 22bf188382e0b9eeab3e8668a7829313
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_hppa.deb
Size/MD5 checksum: 3288674 1b5ec46286ea477290c18e168a6275ef
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_hppa.deb
Size/MD5 checksum: 154352 c6729cc890884a0eca77f05ccd6bab0b
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_hppa.deb
Size/MD5 checksum: 34628 3f84dfddd9efddaaa4f21d58a3653df4
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_hppa.deb
Size/MD5 checksum: 98454 6e6decf81bddd8ea00c1368fa2b5e723
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_i386.deb
Size/MD5 checksum: 11586880 f38dd2061ea093c4b6cbc0a080d1c40e
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_i386.deb
Size/MD5 checksum: 3512118 61c00c5bccc32bd011e274249d921696
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_i386.deb
Size/MD5 checksum: 147880 80d5872d2028eb50208cf8eea839abe7
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_i386.deb
Size/MD5 checksum: 34624 3338dcfb4c556496ac4a4ca7d3ab2a2d
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_i386.deb
Size/MD5 checksum: 89148 9ebbc2a0746e072cdeab95fd5c89f09d
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_ia64.deb
Size/MD5 checksum: 14647370 452343151d070c164e7974fe2ee7a5c2
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_ia64.deb
Size/MD5 checksum: 3294046 088221d0e1a94ab9ff9a85abf0c9dce0
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_ia64.deb
Size/MD5 checksum: 156478 c1f0352991dda272adc4e98a01f6da04
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_ia64.deb
Size/MD5 checksum: 34622 01497338dcbd76afba7b6f92ab600218
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_ia64.deb
Size/MD5 checksum: 108286 5e996c3ce7ebb544fce21ee4a0b3be3e
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_m68k.deb
Size/MD5 checksum: 10805538 1cd3d59f940e597ae5ea9db2b500b397
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_m68k.deb
Size/MD5 checksum: 3276902 3b842492ea6b0510d0f866a1f6cd35c5
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_m68k.deb
Size/MD5 checksum: 146114 fa6030acf9a09eaa56642dcd0a83d168
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_m68k.deb
Size/MD5 checksum: 34644 3e8274232a5009226ecd918b5109dd9a
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_m68k.deb
Size/MD5 checksum: 83626 90453c4ceba1fef2d6606114d86baf7e
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_mips.deb
Size/MD5 checksum: 11964534 d8d5e25f49f281f37dee2bdab77ff4fa
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_mips.deb
Size/MD5 checksum: 3284032 92daac0ef32ad9b1eebfb991c7e106b7
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_mips.deb
Size/MD5 checksum: 149104 d27168040c767a4769cae0cbebd1e724
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_mips.deb
Size/MD5 checksum: 34628 96b3a511bde2f35bd66af2aa1ec26591
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_mips.deb
Size/MD5 checksum: 85876 48c7aed4c0150b96e6ef362c695d16ef
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_mipsel.deb
Size/MD5 checksum: 11828974 24d07d5a509ca53e118a3fac51038100
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_mipsel.deb
Size/MD5 checksum: 3284932 1bcabe31b86be5d62ba10f5b61b32e2f
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_mipsel.deb
Size/MD5 checksum: 148662 4cef87b6244040b75c319209f1ee6b41
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_mipsel.deb
Size/MD5 checksum: 34632 7e3347013b497d60b00732831412a6b6
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_mipsel.deb
Size/MD5 checksum: 85756 246a85ef8a1f4757524bacd1c3f0a8ad
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_powerpc.deb
Size/MD5 checksum: 10925170 b65fa19b09ee136eae77143c5375809e
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_powerpc.deb
Size/MD5 checksum: 3274902 9fd696884a285d20aca2042e652d2c03
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_powerpc.deb
Size/MD5 checksum: 146098 72c75a293110e574660fc29ccfac63d7
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_powerpc.deb
Size/MD5 checksum: 34622 3010036628ed737082f983a4fc94c766
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_powerpc.deb
Size/MD5 checksum: 82550 bf8330d7bce0096b4fe2e34f8d820b80
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_s390.deb
Size/MD5 checksum: 12716512 c5657cead6d10fe6234e5887853859c5
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_s390.deb
Size/MD5 checksum: 3284924 3b6f541bebc35dcf3e840496bd3f04d4
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_s390.deb
Size/MD5 checksum: 152464 7036fdf6dbf83b7b746c6cb63b33371c
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_s390.deb
Size/MD5 checksum: 34616 2ac4013bd1c1bc9c6fd95b20acb482d8
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_s390.deb
Size/MD5 checksum: 90350 f1609d45f781904ef39c22524c1c5f89
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_sparc.deb
Size/MD5 checksum: 11189638 da0895ee2088ec6f98968a316cc97900
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_sparc.deb
Size/MD5 checksum: 3280572 c7f2f6fe78c799311b859104ec50eb85
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_sparc.deb
Size/MD5 checksum: 145772 c58173582e57d067196cec38f08ce9a4
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_sparc.deb
Size/MD5 checksum: 34630 4b01decb81ef2a3834a8ac38205c4d74
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_sparc.deb
Size/MD5 checksum: 84174 07a7408437bf4a4049dcc1edf35937a5
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFyYGXW5ql+IAeqTIRAvBAAJ0b3FPN6eDyDpvkPpfqspJot/ZqCQCgld3A
y7sNFb9R6+l3ZHorJsenmSg=
=h27t
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRcqmqih9+71yA2DNAQKwmgQAiymRH6XEWEgs50tCBDrufi6smpqFxcn4
qV/7UEgbdzhAA8l7hbn2Fkiiko8puWgTIASadgPe050pS3d055rGDOjjCFu29lyd
BFVGP8MBKEOuf/kk8DzG6QJUoR32bYfSnYx8bMtiFT6dPO+dALYa1nGyzAytV8ru
vHYIl95lJaM=
=DDpY
-----END PGP SIGNATURE-----
|