Bug 7753 - Thunderbird 10.0.8
: Thunderbird 10.0.8
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/519136/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-10 03:59 CEST by David Walser
Modified: 2012-10-11 09:29 CEST (History)
5 users (show)

See Also:
Source RPM: thunderbird-10.0.7-1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-10-10 03:59:35 CEST
RedHat has issued an advisory today (October 9):
https://rhn.redhat.com/errata/RHSA-2012-1351.html

Funda Wang has uploaded updated packages for Mageia 1 and Mageia 2.

Advisory:
========================

Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188).

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
https://rhn.redhat.com/errata/RHSA-2012-1351.html
========================

Updated packages in core/updates_testing:
========================
mozilla-thunderbird-10.0.8-1.mga1
mozilla-thunderbird-enigmail-10.0.8-1.mga1
nsinstall-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ar-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ca-10.0.8-1.mga1
mozilla-thunderbird-enigmail-cs-10.0.8-1.mga1
mozilla-thunderbird-enigmail-de-10.0.8-1.mga1
mozilla-thunderbird-enigmail-el-10.0.8-1.mga1
mozilla-thunderbird-enigmail-es-10.0.8-1.mga1
mozilla-thunderbird-enigmail-fi-10.0.8-1.mga1
mozilla-thunderbird-enigmail-fr-10.0.8-1.mga1
mozilla-thunderbird-enigmail-it-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ja-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ko-10.0.8-1.mga1
mozilla-thunderbird-enigmail-nb-10.0.8-1.mga1
mozilla-thunderbird-enigmail-nl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pt-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pt_BR-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ru-10.0.8-1.mga1
mozilla-thunderbird-enigmail-sl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-sv-10.0.8-1.mga1
mozilla-thunderbird-enigmail-tr-10.0.8-1.mga1
mozilla-thunderbird-enigmail-vi-10.0.8-1.mga1
mozilla-thunderbird-enigmail-zh_CN-10.0.8-1.mga1
mozilla-thunderbird-enigmail-zh_TW-10.0.8-1.mga1
mozilla-thunderbird-ar-10.0.8-1.mga1
mozilla-thunderbird-be-10.0.8-1.mga1
mozilla-thunderbird-bg-10.0.8-1.mga1
mozilla-thunderbird-bn_BD-10.0.8-1.mga1
mozilla-thunderbird-br-10.0.8-1.mga1
mozilla-thunderbird-ca-10.0.8-1.mga1
mozilla-thunderbird-cs-10.0.8-1.mga1
mozilla-thunderbird-da-10.0.8-1.mga1
mozilla-thunderbird-de-10.0.8-1.mga1
mozilla-thunderbird-el-10.0.8-1.mga1
mozilla-thunderbird-en_GB-10.0.8-1.mga1
mozilla-thunderbird-es_AR-10.0.8-1.mga1
mozilla-thunderbird-es_ES-10.0.8-1.mga1
mozilla-thunderbird-et-10.0.8-1.mga1
mozilla-thunderbird-eu-10.0.8-1.mga1
mozilla-thunderbird-fi-10.0.8-1.mga1
mozilla-thunderbird-fr-10.0.8-1.mga1
mozilla-thunderbird-fy-10.0.8-1.mga1
mozilla-thunderbird-ga-10.0.8-1.mga1
mozilla-thunderbird-gd-10.0.8-1.mga1
mozilla-thunderbird-gl-10.0.8-1.mga1
mozilla-thunderbird-he-10.0.8-1.mga1
mozilla-thunderbird-hu-10.0.8-1.mga1
mozilla-thunderbird-id-10.0.8-1.mga1
mozilla-thunderbird-is-10.0.8-1.mga1
mozilla-thunderbird-it-10.0.8-1.mga1
mozilla-thunderbird-ja-10.0.8-1.mga1
mozilla-thunderbird-ko-10.0.8-1.mga1
mozilla-thunderbird-lt-10.0.8-1.mga1
mozilla-thunderbird-nb_NO-10.0.8-1.mga1
mozilla-thunderbird-nl-10.0.8-1.mga1
mozilla-thunderbird-nn_NO-10.0.8-1.mga1
mozilla-thunderbird-pl-10.0.8-1.mga1
mozilla-thunderbird-pt_BR-10.0.8-1.mga1
mozilla-thunderbird-pt_PT-10.0.8-1.mga1
mozilla-thunderbird-ro-10.0.8-1.mga1
mozilla-thunderbird-ru-10.0.8-1.mga1
mozilla-thunderbird-si-10.0.8-1.mga1
mozilla-thunderbird-sk-10.0.8-1.mga1
mozilla-thunderbird-sl-10.0.8-1.mga1
mozilla-thunderbird-sq-10.0.8-1.mga1
mozilla-thunderbird-sv_SE-10.0.8-1.mga1
mozilla-thunderbird-ta_LK-10.0.8-1.mga1
mozilla-thunderbird-tr-10.0.8-1.mga1
mozilla-thunderbird-uk-10.0.8-1.mga1
mozilla-thunderbird-vi-10.0.8-1.mga1
mozilla-thunderbird-zh_CN-10.0.8-1.mga1
mozilla-thunderbird-zh_TW-10.0.8-1.mga1
thunderbird-10.0.8-1.mga2
thunderbird-enigmail-10.0.8-1.mga2
nsinstall-10.0.8-1.mga2
thunderbird-ar-10.0.8-1.mga2
thunderbird-ast-10.0.8-1.mga2
thunderbird-be-10.0.8-1.mga2
thunderbird-bg-10.0.8-1.mga2
thunderbird-bn_BD-10.0.8-1.mga2
thunderbird-br-10.0.8-1.mga2
thunderbird-ca-10.0.8-1.mga2
thunderbird-cs-10.0.8-1.mga2
thunderbird-da-10.0.8-1.mga2
thunderbird-de-10.0.8-1.mga2
thunderbird-el-10.0.8-1.mga2
thunderbird-en_GB-10.0.8-1.mga2
thunderbird-es_AR-10.0.8-1.mga2
thunderbird-es_ES-10.0.8-1.mga2
thunderbird-et-10.0.8-1.mga2
thunderbird-eu-10.0.8-1.mga2
thunderbird-fi-10.0.8-1.mga2
thunderbird-fr-10.0.8-1.mga2
thunderbird-fy-10.0.8-1.mga2
thunderbird-ga-10.0.8-1.mga2
thunderbird-gd-10.0.8-1.mga2
thunderbird-gl-10.0.8-1.mga2
thunderbird-he-10.0.8-1.mga2
thunderbird-hu-10.0.8-1.mga2
thunderbird-id-10.0.8-1.mga2
thunderbird-is-10.0.8-1.mga2
thunderbird-it-10.0.8-1.mga2
thunderbird-ja-10.0.8-1.mga2
thunderbird-ko-10.0.8-1.mga2
thunderbird-lt-10.0.8-1.mga2
thunderbird-nb_NO-10.0.8-1.mga2
thunderbird-nl-10.0.8-1.mga2
thunderbird-nn_NO-10.0.8-1.mga2
thunderbird-pl-10.0.8-1.mga2
thunderbird-pa_IN-10.0.8-1.mga2
thunderbird-pt_BR-10.0.8-1.mga2
thunderbird-pt_PT-10.0.8-1.mga2
thunderbird-ro-10.0.8-1.mga2
thunderbird-ru-10.0.8-1.mga2
thunderbird-si-10.0.8-1.mga2
thunderbird-sk-10.0.8-1.mga2
thunderbird-sl-10.0.8-1.mga2
thunderbird-sq-10.0.8-1.mga2
thunderbird-sv_SE-10.0.8-1.mga2
thunderbird-ta_LK-10.0.8-1.mga2
thunderbird-tr-10.0.8-1.mga2
thunderbird-uk-10.0.8-1.mga2
thunderbird-vi-10.0.8-1.mga2
thunderbird-zh_CN-10.0.8-1.mga2
thunderbird-zh_TW-10.0.8-1.mga2

from SRPMS:
mozilla-thunderbird-10.0.8-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.8-1.mga1.src.rpm
thunderbird-10.0.8-1.mga2.src.rpm
thunderbird-l10n-10.0.8-1.mga2.src.rpm
Comment 1 Simon Putt 2012-10-10 12:41:01 CEST
All my extensions are working, and I can also still Sign emails with Enigmail. Works same as previous version.
Comment 2 Simon Putt 2012-10-10 23:44:18 CEST
Forgot to add, Mageia 2, x86_64
Comment 3 Dave Hodgins 2012-10-11 05:54:52 CEST
Testing complete using nntp, email, with enigmail Mageia 1 and 2, i586
and x86-64.

Could someone from the sysadmin team push the srpms
thunderbird-10.0.8-1.mga2.src.rpm
thunderbird-l10n-10.0.8-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
mozilla-thunderbird-10.0.8-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.8-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188).

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
https://rhn.redhat.com/errata/RHSA-2012-1351.html

https://bugs.mageia.org/show_bug.cgi?id=7753
Comment 4 Thomas Backlund 2012-10-11 09:29:53 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0289

Note You need to log in before you can comment on or make changes to this bug.