1. Server >
  2. Unix Server >
  3. USN-2934-1: Thunderbird vulnerabilities

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

USN-2934-1: Thunderbird vulnerabilities


Unix Server vom | Direktlink: ubuntu.com Nachrichten Bewertung

Ubuntu Security Notice USN-2934-1

27th April, 2016

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

  • thunderbird - Mozilla Open Source mail and newsgroup client

Details

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel
Holbert, Jesse Ruderman, and Randell Jesup discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2016-1952)

Nicolas Golubovic discovered that CSP violation reports can be used to
overwrite local files. If a user were tricked in to opening a specially
crafted website in a browsing context with addon signing disabled and
unpacked addons installed, an attacker could potentially exploit this to
gain additional privileges. (CVE-2016-1954)

Jose Martinez and Romina Santillan discovered a memory leak in
libstagefright during MPEG4 video file processing in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via memory exhaustion. (CVE-2016-1957)

A use-after-free was discovered in the HTML5 string parser. If a user were
tricked in to opening a specially crafted website in a browsing context, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the user
invoking Thunderbird. (CVE-2016-1960)

A use-after-free was discovered in the SetBody function of HTMLDocument.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2016-1961)

Nicolas Grégoire discovered a use-after-free during XML transformations.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2016-1964)

A memory corruption issues was discovered in the NPAPI subsystem. If
a user were tricked in to opening a specially crafted website in a
browsing context with a malicious plugin installed, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2016-1966)

Ronald Crane discovered an out-of-bounds read following a failed
allocation in the HTML parser in some circumstances. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Thunderbird. (CVE-2016-1974)

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2016-1950)

Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple
memory safety issues in the Graphite 2 library. If a user were tricked in
to opening a specially crafted message, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,
CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797,
CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
thunderbird 1:38.7.2+build1-0ubuntu0.16.04.1
Ubuntu 15.10:
thunderbird 1:38.7.2+build1-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
thunderbird 1:38.7.2+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird 1:38.7.2+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-1950, CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960, CVE-2016-1961, CVE-2016-1964, CVE-2016-1966, CVE-2016-1974, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802

...
http://www.ubuntu.com/usn/usn-2934-1/

Externe Quelle mit kompletten Inhalt anzeigen


Zur Startseite von Team IT Security

Kommentiere zu USN-2934-1: Thunderbird vulnerabilities






➤ Weitere Beiträge von Team Security | IT Sicherheit

[Testing Update] 2019-10-27 - KDE-Git, Nvidia, Xorg-Server

vom 838.55 Punkte ic_school_black_18dp
@philm wrote: Hello community, I am happy to announce another Testing Update. Mostly we have updates for Pacman 5.2 release. Tell us about the default layout we should use for Gnome Update news This update holds the following chan

[Testing Update] 2019-12-06 - Kernels, Mesa, Firefox, KDE-git

vom 838.55 Punkte ic_school_black_18dp
@philm wrote: Hello community, I am happy to announce another Testing Update on my Wedding Day. Let's celebrate Phil's and Trang's wedding today Some feature-updates: Some fixes to Cinnamon Firefox-Dev has another beta in 72 series We updated most of our KDE-git packages Mesa update plus the latest Kernels the usua

[Testing Update] 2020-01-28 - Kernels, Browsers, Vulkan

vom 838.55 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Testing Update ... 1094×645Check out the latest changes of Pamac-QT 0.3.1 Some feature-updates: Most of the Kernels got updated Updates to Palemoon and Firefox-dev Newer Vulkan drivers The usual upstream fixes If you like following latest Plasma de

[Stable Update] 2020-01-30 - Kernels, Browsers, Vulkan

vom 838.55 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Stable Update ... 2048×1667Our images for the Pinebook Pro got some updates Some feature-updates: Most of the Kernels got updated Updates to Palemoon and Firefox-dev Newer Vulkan drivers The usual upstream fixes If you like following latest Plasma de

[Testing Update] 2020-02-17 - Kernels, Firefox-Dev, Gnome, BinUtils, Wine 5.2, Python

vom 831.07 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Testing Update. 1920×1080Give Mate 1.24 a spin in our latest 19.0-rc1 build! Some feature-updates: Some of our Kernels got updated Firefox-Dev got updated to its fourth beta of 74 series Gnome got some more updates Fixes to binutils to support

[Testing Update] 2020-04-10 - Thunderbird 68.7.0, OnlyOffice 5.5, Gnome, GTK

vom 456.71 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Testing Update for you: Need to have a look at several documents at once? Have two or more monitors? Now it’s your time! You can stack them together now ... Some feature-updates: Thunderbird got updated to 68.7.0 OnlyOffice is no

[Testing Update] 2020-04-11 - Kernels, Browsers, Calamares, Octopi, Flatpak, Thunderbird, OnlyOffice

vom 456.71 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Stable Update for you: 1920×1080Get your Manjaro Merch 15% off! #StayHome, #StayHealthy, #StaySafe, #HomeOffice Some feature-updates: Some of our Kernels got updated Brave br

[Stable Update] 2020-04-11 - Kernels, Browsers, Calamares, Octopi, Flatpak, Thunderbird, OnlyOffice

vom 456.71 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Stable Update for you: 1920×1080Get your Manjaro Merch 15% off! #StayHome, #StayHealthy, #StaySafe, #HomeOffice Some feature-updates: Some of our Kernels got updated Brave br

[Testing Update] 2019-12-26 - KDE-Git, AMDVLK 2019.Q4.5, NetworkManager 1.20.9

vom 426.76 Punkte ic_school_black_18dp
@philm wrote: Hello community, I am happy to announce another Testing Update. Some feature-updates: Updated KDE-git packages AMDVLK is now at 2019.Q4.5 Network Manager is again downgraded to 1.20.9 the usual upstream fixes If you like following latest Pl

[StableUpdate] 2020-01-20 - Kernels, Plasma 5.19a, Pamac 9.3rc, Gambas, Virtualbox

vom 419.28 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Stable Update ... 1920×1080Test the latest efforts of KDE on our Development ISOs Some feature-updates: Some Kernels got updated Plasma got updated to 5.19 alpha on our KDE-git packages Pamac 9.3 got it's first RC. Please update your translation

[Stable Update] 2020-01-20 - Kernels, Plasma 5.19a, Pamac 9.3rc, Gambas, Virtualbox

vom 419.28 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Stable Update ... 1920×1080Test the latest efforts of KDE on our Development ISOs Some feature-updates: Some Kernels got updated Plasma got updated to 5.19 alpha on our KDE-git packages Pamac 9.3 got it's first RC. Please update your translation

[Testing Update] 2020-03-19 - Kernels, KDE-Git, Appstream-data, Firefox-Dev

vom 419.28 Punkte ic_school_black_18dp
@philm wrote: Hello community, here is another Testing Update for you: 1204×[email protected] managed to get GPD P2 Max Ultra fully supported in Manjaro 19.0 Some feature-updates: We updated some of our Kernels archlinux-apps