Debians sikkerhedsbulletin
DSA-1159-2 mozilla-thunderbird -- flere sårbarheder
- Rapporteret den:
- 28. aug 2006
- Berørte pakker:
- mozilla-thunderbird
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 18228, BugTraq-id 19181.
I Mitres CVE-ordbog: CVE-2006-2779, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#466673, VU#655892, VU#687396, VU#876420, VU#911004. - Yderligere oplysninger:
-
De seneste sikkerhedsopdateringer af Mozilla Thunderbird introducerede en regression, der førte til et funktionsforringet vedhæftelsespanel, som er berettiget til en rettelse for at løse problemet. Som reference følger den oprindelige bulletins tekst herunder:
Flere sikkerhedsrelaterede problemer er opdaget i Mozilla og afledte produkter så som Mozilla Thunderbird. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende sårbarheder:
- CVE-2006-2779
Mozilla-holdet har opdaget flere nedbrud under aftestning af browsermaskinen, med beviser på hukommelseskorruption, hvilket også kunne føre udførelse af vilkårlig kode. Den sidste del af dette problem vil blive korrigeret ved næste opdatering. Du kan finder alle problemerne ved at slå Javascript fra. [MFSA-2006-32]
- CVE-2006-3805
Javascript-maskinen kunne gøre det muligt for fjernangribere at udføre vilkårlig kode. [MFSA-2006-50]
- CVE-2006-3806
Flere heltalsoverløb i Javascript-maskinen kunne gøre det muligt for fjernangribere at udføre vilkårlig kode. [MFSA-2006-50]
- CVE-2006-3807
Særligt fremstillet Javascript gjorde det muligt for fjernangribere at udføre vilkårlig kode. [MFSA-2006-51]
- CVE-2006-3808
Remote Proxy AutoConfig (PAC)-servere (fjernopsætbare servere) kunne udføre kode med forøgede rettigheder gennem et særligt fremstillet PAC-skript. [MFSA-2006-52]
- CVE-2006-3809
Skripter med rettigheden UniversalBrowserRead kunne opnå rettigheden UniversalXPConnect, samt muligvis udføre kode eller tilgå følsomme data. [MFSA-2006-53]
- CVE-2006-3810
En sårbarhed i forbindelse med udførelse af skripter gjorde det muligt for fjernangribere at indsprøjte vilkårlige webskripter eller HTML. [MFSA-2006-54]
I den stabile distribution (sarge) er disse problemer rettet i version 1.0.2-2.sarge1.0.8b.2.
I den ustabile distribution (sid) er disse problemer rettet i version 1.5.0.5-1.
Vi anbefaler at du opgraderer din mozilla-thunderbird-pakke.
- CVE-2006-2779
- Rettet i:
-
Debian GNU/Linux 3.1 (sarge)
- Kildekode:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.dsc
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.diff.gz
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_alpha.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_amd64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_arm.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_arm.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_arm.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_arm.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_arm.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_i386.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_i386.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_i386.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_i386.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_i386.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_ia64.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_hppa.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_m68k.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_mips.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_mips.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_mips.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_mips.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_mips.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_s390.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_s390.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_s390.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_s390.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_s390.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_sparc.deb
- http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.