Ubuntu 6301 Published by

A new Thunderbird vulnerabilities update is available for Ubuntu Linux. Here the announcement:



Ubuntu Security Notice USN-701-2 January 06, 2009
mozilla-thunderbird vulnerabilities
CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507,
CVE-2008-5508, CVE-2008-5511, CVE-2008-5512
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1

After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.

Details follow:

Several flaws were discovered in the browser engine. If a user had Javascript
enabled, these problems could allow an attacker to crash Thunderbird and
possibly execute arbitrary code with user privileges. (CVE-2008-5500)

Boris Zbarsky discovered that the same-origin check in Thunderbird could be
bypassed by utilizing XBL-bindings. If a user had Javascript enabled, an
attacker could exploit this to read data from other domains. (CVE-2008-5503)

Marius Schilder discovered that Thunderbird did not properly handle redirects
to an outside domain when an XMLHttpRequest was made to a same-origin resource.
When Javascript is enabled, it's possible that sensitive information could be
revealed in the XMLHttpRequest response. (CVE-2008-5506)

Chris Evans discovered that Thunderbird did not properly protect a user's data
when accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website and had Javascript enabled, an attacker may be able to steal a limited
amount of private data. (CVE-2008-5507)

Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered
Thunderbird did not properly parse URLs when processing certain control
characters. (CVE-2008-5508)

Several flaws were discovered in the Javascript engine. If a user were tricked
into opening a malicious website and had Javascript enabled, an attacker could
exploit this to execute arbitrary Javascript code within the context of another
website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1.diff.gz
Size/MD5: 457871 6708c462f15f2f2a6baff4e29c89f30a
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1.dsc
Size/MD5: 1050 afa2249f6dc30aab41be123a9dc4ee37
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i.orig.tar.gz
Size/MD5: 38496066 4cfc246095c4d0aed823957286b3d78e

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 3594116 be08ab02c9d79056d6633df8204ac697
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 195036 3388af5706c609fd857af0b4c83baaaf
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 60284 e48244b6f33777de63390a186f00a587
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 12121434 1874cff31d6f97f46d44b7912d8a209e

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 3587984 87ca4cd810a3aef5f0031f87fe2b4093
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 188476 6067997901bf2298f86f154ed75605de
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 55808 9223b79d4b57a4288723fb9247f09016
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 10391474 2dae030db3d78d5eeea2d2b262017083

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 3593172 2ca154973ea6df8fb00cac0f50e791a8
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 191762 81d133d1bfeb70d377692fd49d5ea9c1
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 59440 bbc9361554b79c69d08ac62b79508199
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 11676430 300ce0fabdf9530f0a4a748755deb9be

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 3589802 4851d549ab3f7b89eb130435941b145a
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 189224 6f81dcb50c903107106edf511564f82b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 57298 06ba7f5f613f0d28457ac9c89366e4a5
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 10869132 496a8efbcdbdf4e709c58aa4101d2d62



--j2AXaZ4YhVcLc+PQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklj6joACgkQW0JvuRdL8Br1hwCfUB9fyKVmEmL/6MVxdfFwsQfe
oVYAnjPDxUWGm9Ntw+Y5cujO8BnOhV+0
=8CUO
-----END PGP SIGNATURE-----