Download 5.11 Technical Notes - Red Hat Customer Portal

Transcript
⁠Chapt er 3. Updat ed Packages
C VE- 2013- 559 5
It was found that the Thunderbird JavaScript engine incorrectly allocated memory for
certain functions. An attacker could combine this flaw with other vulnerabilities to execute
arbitrary code with the privileges of the user running Thunderbird.
C VE- 2013- 56 04
A flaw was found in the way Thunderbird handled certain Extensible Stylesheet Language
Transformations (XSLT) files. An attacker could combine this flaw with other vulnerabilities
to execute arbitrary code with the privileges of the user running Thunderbird.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges
Jesse Ruderman, Christoph D iehl, D an Gohman, Byoungyoung Lee, Nils, and Abhishek Arya as the
original reporters of these issues.
Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as
JavaScript is disabled by default for mail messages. They could be exploited another way in
Thunderbird, for example, when viewing the full remote content of an RSS feed.
For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird
17.0.10 ESR.
All Thunderbird users should upgrade to this updated package, which contains Thunderbird version
17.0.10 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted
for the changes to take effect.
3.92.4 . RHSA-2014 :0316 — Import ant : t hunderbird securit y updat e
An updated thunderbird package that fixes several security issues is now available for Red Hat
Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having Important security impact.
Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are
available for each vulnerability from the CVE links associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.
Secu rit y Fixes
C VE- 2014 - 14 9 3, C VE- 2014 - 1510, C VE- 2014 - 1511, C VE- 2014 - 1512, C VE- 2014 - 1513,
C VE- 2014 - 1514
Several flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
C VE- 2014 - 14 9 7, C VE- 2014 - 1508, C VE- 2014 - 1505
Several information disclosure flaws were found in the way Thunderbird processed
malformed web content. An attacker could use these flaws to gain access to sensitive
information such as cross-domain content or protected memory addresses or, potentially,
cause Thunderbird to crash.
C VE- 2014 - 1509
155