RHEL 4 / 5 : thunderbird (RHSA-2007-0401)

This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

Updated thunderbird packages that fix several security bugs are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way Thunderbird processed certain
malformed JavaScript code. A web page containing malicious JavaScript
code could cause Thunderbird to crash or potentially execute arbitrary
code as the user running Thunderbird. (CVE-2007-2867, CVE-2007-2868)

Several denial of service flaws were found in the way Thunderbird
handled certain form and cookie data. A malicious web site that is
able to set arbitrary form and cookie data could prevent Thunderbird
from functioning properly. (CVE-2007-1362, CVE-2007-2869)

A flaw was found in the way Thunderbird processed certain APOP
authentication requests. By sending certain responses when Thunderbird
attempted to authenticate against an APOP server, a remote attacker
could potentially acquire certain portions of a user's authentication
credentials. (CVE-2007-1558)

A flaw was found in the way Thunderbird displayed certain web content.
A malicious web page could generate content which could overlay user
interface elements such as the hostname and security indicators,
tricking users into thinking they are visiting a different site.
(CVE-2007-2871)

Users of Thunderbird are advised to apply this update, which contains
Thunderbird version 1.5.0.12 that corrects these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2007-1362.html
https://www.redhat.com/security/data/cve/CVE-2007-1558.html
https://www.redhat.com/security/data/cve/CVE-2007-2867.html
https://www.redhat.com/security/data/cve/CVE-2007-2868.html
https://www.redhat.com/security/data/cve/CVE-2007-2869.html
https://www.redhat.com/security/data/cve/CVE-2007-2871.html
http://rhn.redhat.com/errata/RHSA-2007-0401.html

Solution :

Update the affected thunderbird package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 25366 ()

Bugtraq ID:

CVE ID: CVE-2007-1362
CVE-2007-1558
CVE-2007-2867
CVE-2007-2868
CVE-2007-2869
CVE-2007-2871