openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-4070)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

MozillaThunderbird was updated to version 3.1.8, fixing various
security issues.

Following security issues were fixed: MFSA 2011-01: Mozilla developers
identified and fixed several memory safety bugs in the browser engine
used in Firefox and other Mozilla-based products. Some of these bugs
showed evidence of memory corruption under certain circumstances, and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

Jesse Ruderman, Igor Bukanov, Olli Pettay, Gary Kwong, Jeff Walden,
Henry Sivonen, Martijn Wargers, David Baron and Marcia Knous reported
memory safety problems that affected Firefox 3.6 and Firefox 3.5.
(CVE-2011-0053)

Igor Bukanov and Gary Kwong reported memory safety problems that
affected Firefox 3.6 only. (CVE-2011-0062)

MFSA 2011-08 / CVE-2010-1585: Mozilla security developer Roberto Suggi
Liverani reported that ParanoidFragmentSink, a class used to sanitize
potentially unsafe HTML for display, allows javascript: URLs and other
inline JavaScript when the embedding document is a chrome document.
While there are no unsafe uses of this class in any released products,
extension code could have potentially used it in an unsafe manner.

MFSA 2011-09 / CVE-2011-0061: Security researcher Jordi Chancel
reported that a JPEG image could be constructed that would be decoded
incorrectly, causing data to be written past the end of a buffer
created to store the image. An attacker could potentially craft such
an image that would cause malicious code to be stored in memory and
then later executed on a victim's computer.

See also :

https://bugzilla.novell.com/show_bug.cgi?id=667155

Solution :

Update the affected MozillaThunderbird packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now