--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2006-189672 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189672 2006-05-25 --------------------------------------------------------------------- Name : thunderbird Versions : fc3: thunderbird-1.0.8-1.1.fc3.4.legacy Summary : Mozilla Thunderbird mail/newsgroup client Description : Mozilla Thunderbird is a standalone mail and newsgroup client. --------------------------------------------------------------------- Update Information: Updated thunderbird packages that fix several security bugs are now available. Mozilla Thunderbird is a standalone mail and newsgroup client. Several bugs were found in the way Thunderbird processes malformed javascript. A malicious HTML mail message could modify the content of a different open HTML mail message, possibly stealing sensitive information or conducting a cross-site scripting attack. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Thunderbird processes certain javascript actions. A malicious HTML mail message could execute arbitrary javascript instructions with the permissions of 'chrome', allowing the page to steal sensitive information or install browser malware. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Thunderbird processes malformed HTML mail messages. A carefully crafted malicious HTML mail message could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Thunderbird processes certain inline content in HTML mail messages. It may be possible for a remote attacker to send a carefully crafted mail message to the victim, which will fetch remote content, even if Thunderbird is configured not to fetch remote content. (CVE-2006-1045) A bug was found in the way Thunderbird executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of "chrome". (CVE-2006-0884) Users of Thunderbird are advised to upgrade to these updated packages containing Thunderbird version 1.0.8, which is not vulnerable to these issues. --------------------------------------------------------------------- Changelogs fc3: * Mon May 15 2006 David Eisenstein <deisenst@xxxxxxx> 1.0.8-1.1.fc3.4.legacy - Add buildrequires: libgnome-devel, libbonobo-devel, GConf2-devel, gnome-vfs2-devel, glib2-devel, ORBit2-devel, popt * Fri Apr 28 2006 David Eisenstein <deisenst@xxxxxxx> 1.0.8-1.1.fc3.2.legacy - Add buildrequires - desktop-file-utils * Tue Apr 25 2006 David Eisenstein <deisenst@xxxxxxx> 1.0.8-1.1.fc3.1.legacy - Portions of the firefox-1.0-gcc4-compile.patch are already applied in the src tarball. Remove those so remainder of patch will apply. * Tue Apr 25 2006 David Eisenstein <deisenst@xxxxxxx> 1.0.8-1.1.fc3.legacy - Update to 1.0.8, containing fixes for: CVE-2006-1731, CVE-2006-1732, CVE-2006-1741, CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790, CVE-2006-1045 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc3: f8af690feea54ca58a8844d165fa36f4663ae0b5 fedora/3/updates-testing/i386/thunderbird-1.0.8-1.1.fc3.4.legacy.i386.rpm 8fdfa93482e2a5de6c38e05a285e24360b12bbaa fedora/3/updates-testing/x86_64/thunderbird-1.0.8-1.1.fc3.4.legacy.x86_64.rpm b9b9cc2694512827633ecba95b8327b0efb68f40 fedora/3/updates-testing/SRPMS/thunderbird-1.0.8-1.1.fc3.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
