Issued:
2007-05-30
Updated:
2007-05-30

RHSA-2007:0401 - Critical: thunderbird security update

Synopsis

Critical: thunderbird security update

Type/Severity

Security Advisory Critical

Topic

Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. (CVE-2007-2867, CVE-2007-2868)

Several denial of service flaws were found in the way Thunderbird handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Thunderbird from functioning properly. (CVE-2007-1362, CVE-2007-2869)

A flaw was found in the way Thunderbird processed certain APOP authentication requests. By sending certain responses when Thunderbird attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558)

A flaw was found in the way Thunderbird displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871)

Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.12 that corrects these issues.

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for x86_64 - Extended Update Support4.5x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support4.5ia64
Red Hat Enterprise Linux for x86_64 - Extended Update Support4.5i386
Red Hat Enterprise Linux for Power, big endian4ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support4.5ppc
Red Hat Enterprise Linux for IBM z Systems4s390x
Red Hat Enterprise Linux for IBM z Systems4s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support4.5s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support4.5s390
Red Hat Enterprise Linux Workstation5x86_64
Red Hat Enterprise Linux Workstation5i386
Red Hat Enterprise Linux Workstation4x86_64
Red Hat Enterprise Linux Workstation4ia64
Red Hat Enterprise Linux Workstation4i386
Red Hat Enterprise Linux Server5x86_64
Red Hat Enterprise Linux Server5i386
Red Hat Enterprise Linux Server4x86_64
Red Hat Enterprise Linux Server4ia64
Red Hat Enterprise Linux Server4i386
Red Hat Enterprise Linux Server from RHUI5x86_64
Red Hat Enterprise Linux Server from RHUI5i386
Red Hat Enterprise Linux Desktop5x86_64
Red Hat Enterprise Linux Desktop5i386
Red Hat Enterprise Linux Desktop4x86_64
Red Hat Enterprise Linux Desktop4i386

Updated Packages

  • thunderbird-1.5.0.12-0.1.el4.ia64.rpm
  • thunderbird-1.5.0.12-1.el5.src.rpm
  • thunderbird-1.5.0.12-0.1.el4.ppc.rpm
  • thunderbird-1.5.0.12-0.1.el4.s390x.rpm
  • thunderbird-1.5.0.12-1.el5.x86_64.rpm
  • thunderbird-1.5.0.12-0.1.el4.s390.rpm
  • thunderbird-1.5.0.12-0.1.el4.src.rpm
  • thunderbird-1.5.0.12-0.1.el4.i386.rpm
  • thunderbird-1.5.0.12-0.1.el4.x86_64.rpm
  • thunderbird-1.5.0.12-1.el5.i386.rpm

Fixes

CVEs

References

Additional information