Säkerhetsbulletin från Debian

DSA-781-1 mozilla-thunderbird -- flera sårbarheter

Rapporterat den:

2005-08-23

Berörda paket:

Sårbara:

Referenser i säkerhetsdatabaser:

I Debians felrapporteringssystem: Fel 318728.
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 14242, BugTraq-id 14242.
I Mitres CVE-förteckning: CVE-2005-0989, CVE-2005-1159, CVE-2005-1160, CVE-2005-1532, CVE-2005-2261, CVE-2005-2265, CVE-2005-2266, CVE-2005-2269, CVE-2005-2270.

Ytterligare information:

Flera problem har upptäckts i Mozilla Thunderbird, den fristående e-postklienten från Mozillasviten. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

CAN-2005-0989
Fjärrangripare kunde läsa delar av heapminnet till en JavaScriptsträng genom lamda-ersättningsmetoden.
CAN-2005-1159
JavaScripttolken kunde luras att fortsätta exekveringen från fel minnesadress, vilket kunde göra det möjligt för angripare att utföra en överbelastningsattack (applikationskrasch) och möjligen exekvera godtycklig kod.
CAN-2005-1160
Angripare utifrån kunde överstyra vissa egenskaper eller metoder i DOM-noder och uppnå privilegier.
CAN-2005-1532
Angripare utifrån kunde överstyra vissa egenskaper eller metoder på grund av att det saknas begränsningar i JavaScript eval och Script-objekt och uppnå privilegier.
CAN-2005-2261
XML-skript körde även när JavaScript inaktiverats.
CAN-2005-2265
Saknad städning av indata i InstallVersion.compareTo() kan få programmet att krascha.
CAN-2005-2266
Angripare utifrån kunde stjäla känslig information såsom kakor och lösenord från webbplatser genom att läsa data i fjärr-ramar.
CAN-2005-2269
Angripare utifrån kunde modifiera vissa tagg-egenskaper i DOM-noder, vilket kunde leda till exekvering av godtyckliga skript eller kod.
CAN-2005-2270
Mozilla-webbläsarfamiljen klonar inte basobjekt korrekt, vilket gör det möjligt för angripare utifrån att exekvera godtycklig kod.

Den gamla stabila utgåvan (Woody) påverkas inte av dessa problem eftersom det inte innehåller paket för Mozilla.

För den stabila utgåvan (Sarge) har dessa problem rättats i version 1.0.2-2.sarge1.0.6.

För den instabila utgåvan (Sid) har dessa problem rättats i version 1.0.6-1.

Vi rekommenderar att ni uppgraderar ert Mozilla Thunderbird-paket.

Rättat i:

Debian GNU/Linux 3.1 (sarge)

Källkod:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6.dsc; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6.diff.gz; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.