lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20061204081459.59678FDE1@finlandia.home.infodrom.org>
Date: Mon,  4 Dec 2006 09:14:59 +0100 (CET)
From: joey@...odrom.org (Martin Schulze)
To: debian-security-announce@...ts.debian.org (Debian Security Announcements)
Subject: [SECURITY] [DSA 1227-1] New Mozilla Thunderbird
	packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1227-1                    security@...ian.org
http://www.debian.org/security/                             Martin Schulze
December 4th, 2006                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mozilla-thunderbird
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464
                 CVE-2006-5748
CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 
BugTraq IDs    : 19678 20957

Several security related problems have been discovered in Mozilla and
derived products such as Mozilla Thunderbird.  The Common Vulnerabilities
and Exposures project identifies the following vulnerabilities:

CVE-2006-4310

    Tomas Kempinsky discovered that malformed FTP server responses
    could lead to denial of service.

CVE-2006-5462

    Ulrich Kühn discovered that the correction for a cryptographic
    flaw in the handling of PKCS-1 certificates was incomplete, which
    allows the forgery of certificates.

CVE-2006-5463

    "shutdown" discovered that modification of JavaScript objects
    during execution could lead to the execution of arbitrary
    JavaScript bytecode.

CVE-2006-5464

    Jesse Ruderman and Martijn Wargers discovered several crashes in
    the layout engine, which might also allow execution of arbitrary
    code.

CVE-2006-5748

    Igor Bukanov and Jesse Ruderman discovered several crashes in the
    JavaScript engine, which might allow execution of arbitrary code.

This update also adresses several crashes, which could be triggered by
malicious websites and fixes a regression introduced in the previous
Mozilla update.


For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge13.

For the unstable distribution (sid) these problems have been fixed in
the current icedove package 1.5.0.8.

We recommend that you upgrade your mozilla-thunderbird package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.dsc
      Size/MD5 checksum:     1003 6c5f746adeacacdf3127e17cb2aa8bee
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.diff.gz
      Size/MD5 checksum:   529889 28823ccf3573c2dd660fd9d9e3e22b09
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz
      Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_alpha.deb
      Size/MD5 checksum: 12856976 84bc9994e2d58b31b25e2bd069d1def3
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_alpha.deb
      Size/MD5 checksum:  3280854 caa0d6f973d08d3f2b35e52254b00c2d
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_alpha.deb
      Size/MD5 checksum:   152698 d9fdc6a19105ddd536acd60a8ee2ab37
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_alpha.deb
      Size/MD5 checksum:    34122 cafae516210656d77a176415fb8db6f4
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_alpha.deb
      Size/MD5 checksum:    90116 699b3712455d642e224b54c926328a4c

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_amd64.deb
      Size/MD5 checksum: 12259294 289d4d588a4c47385220edb78c04afae
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_amd64.deb
      Size/MD5 checksum:  3282040 f4c6b066917601dad180472abf540098
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_amd64.deb
      Size/MD5 checksum:   151728 58934099903d70e9299390ea13f59df5
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_amd64.deb
      Size/MD5 checksum:    34120 08a6bedf50fe0457cbce271965871b47
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_amd64.deb
      Size/MD5 checksum:    89962 ba63d212aa7a4aeed16ed0f2d80d6a86

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_arm.deb
      Size/MD5 checksum: 10345710 e715702c5b2aa723f9d25802287e94e4
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_arm.deb
      Size/MD5 checksum:  3273096 cce5d1fd85a8409b4af4ff6f7968e9d2
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_arm.deb
      Size/MD5 checksum:   143868 8a3036032e81ef1010e3a3162725a818
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_arm.deb
      Size/MD5 checksum:    34132 f2ab43ddc5f063963bef4e1ff6d9c956
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_arm.deb
      Size/MD5 checksum:    81934 ae1ce06ee154fb9e85fea35aaf5311fc

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_hppa.deb
      Size/MD5 checksum: 13571836 d5c2bbb909b9d6be2ca180f14c307f1e
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_hppa.deb
      Size/MD5 checksum:  3285646 5c9f816a25d33453f59179991ea74d0d
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_hppa.deb
      Size/MD5 checksum:   153926 4f22d429a7781c9f09b4edb68816c853
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_hppa.deb
      Size/MD5 checksum:    34134 cae400c43c5f0f5e0e276a047dbdab20
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_hppa.deb
      Size/MD5 checksum:    97998 bf0c11bb906656980cc4e5744eb464bd

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_i386.deb
      Size/MD5 checksum: 11549564 41a015e8acb35a566e733d5e3efbd26f
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_i386.deb
      Size/MD5 checksum:  3279334 7f4340a3a8a8194a7e99bd818866c57e
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_i386.deb
      Size/MD5 checksum:   147232 ad62baa206ff857d41db06fc9985881e
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_i386.deb
      Size/MD5 checksum:    34122 463263b2b57ed86dcde4f3bb458d0cf7
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_i386.deb
      Size/MD5 checksum:    88704 427bbd7d9754931c19829bc21096553d

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_ia64.deb
      Size/MD5 checksum: 14632100 53cd255c1673064d35138b4ddd9a00dd
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_ia64.deb
      Size/MD5 checksum:  3291608 e4d9bf2df8ae5a7ca3730f12409fe836
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_ia64.deb
      Size/MD5 checksum:   156062 a264399ce67bcfef3823da09effe603f
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_ia64.deb
      Size/MD5 checksum:    34120 beeb92a784afcee38f2ea9c5a5747a8c
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_ia64.deb
      Size/MD5 checksum:   107826 ce5eb8ae242c1e3ae2de7b2dd4638086

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_m68k.deb
      Size/MD5 checksum: 10795348 67b697071cc0d1f5667c6ed7464e90f7
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_m68k.deb
      Size/MD5 checksum:  3272426 d1a76c3cc4d53d311d4fa2933fa241aa
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_m68k.deb
      Size/MD5 checksum:   145646 bb4e9eed4d5639080ad0f40d4b9ccd3e
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_m68k.deb
      Size/MD5 checksum:    34148 7a167f58be69a5f87ae0b6ff696c195b
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_m68k.deb
      Size/MD5 checksum:    83168 00b7c01b14e69d3de5b716a97b531135

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_mips.deb
      Size/MD5 checksum: 11949608 9ec9db79429dda4d407ccf88ccdcd432
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_mips.deb
      Size/MD5 checksum:  3280190 9c5196972a3cf0c2c526f858aca2466e
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_mips.deb
      Size/MD5 checksum:   148640 5797fb7d9315c3143f3764f6b6f85c25
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_mips.deb
      Size/MD5 checksum:    34124 cb575700d4f03213414e5723de4f71e3
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_mips.deb
      Size/MD5 checksum:    85368 0ac0335d952db222dd2cabb47aebaf93

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_mipsel.deb
      Size/MD5 checksum: 11817496 aba31a9b55e305979548c2bc354d25b8
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_mipsel.deb
      Size/MD5 checksum:  3281036 ad64af4aa0945eb30474881150f19368
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_mipsel.deb
      Size/MD5 checksum:   148210 efb0d8070713c0392b4bf515df28b2a2
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_mipsel.deb
      Size/MD5 checksum:    34122 7506a7d0d2452a5aa57a8e729a129afe
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_mipsel.deb
      Size/MD5 checksum:    85264 a660f1051091732b2b827a25169bcd13

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_powerpc.deb
      Size/MD5 checksum: 10913258 2b2bc733b1a9c582846a35e09f790792
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_powerpc.deb
      Size/MD5 checksum:  3270832 f0971f53b8576629a543e31b13b5fc82
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_powerpc.deb
      Size/MD5 checksum:   145640 b0f543ffae409f9c2ed5feb623d9ccc9
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_powerpc.deb
      Size/MD5 checksum:    34126 d00d244fff67496236b40c606eb2b068
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_powerpc.deb
      Size/MD5 checksum:    82090 08904221a4f22160c5448adc5e584892

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_s390.deb
      Size/MD5 checksum: 12706338 9cff7d191572124759121b992f9fcbbe
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_s390.deb
      Size/MD5 checksum:  3281302 32b6910f4a3352602eb5f2fba6496b5c
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_s390.deb
      Size/MD5 checksum:   152014 b85e247ddc89da9251bc96237bc496cb
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_s390.deb
      Size/MD5 checksum:    34118 34fa6f63472be37d37e23ce669dc9ae3
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_s390.deb
      Size/MD5 checksum:    89892 c8e4543a63614010de56776b5b597006

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_sparc.deb
      Size/MD5 checksum: 11182150 3728f5afbe35203ae332876bc1804866
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_sparc.deb
      Size/MD5 checksum:  3276596 305ba0ef1c0dec7b7057af38507a981b
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_sparc.deb
      Size/MD5 checksum:   145322 6799c906fa439170521396913ba7092a
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_sparc.deb
      Size/MD5 checksum:    34118 4ac987cbe24509923ed7cf89c78995dc
    http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_sparc.deb
      Size/MD5 checksum:    83734 191466ecaad65e7781192a118749fc45


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFc9kCW5ql+IAeqTIRAlWUAJ4yg4SG/SCLzd///G08uHiPjnxtiACgqN6r
iMNDIuBp0otB0CAnhO2A2Cw=
=otNU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ