New mozilla-thunderbird packages are available for Slackware 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues.

A number of security vulnerabilities have been discovered in previous versions, and corrected in the latest Mozilla Thunderbird program, version 2.0.0.21 (CVE-2009-0040, CVE-2009-0776, CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0352, CVE-2009-0353).

This update provides the latest Thunderbird to correct these issues.

Additionally, Mozilla Thunderbird released with Mandriva Linux 2009.0, when used with Enigmail extension on x86_64 architecture, would freeze whenever any Enigmail function was used (bug #45001). Also, when used on i586 architecture, Thunderbird would crash when sending an email, if a file with an unknown extension was attached to it. (bug #46107)

This update also fixes those issues.

From Red Hat Security Advisory 2009:0258 :

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775)

Several flaws were found in the way malformed content was processed.
An HTML mail message containing specially crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2009-0355, CVE-2009-0776)

Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.

http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Mozilla Firefox Browser was refreshed to the current MOZILLA_1_8 branch state around fix level 2.0.0.22. 

Security issues identified as being fixed are: MFSA 2009-01 / CVE-2009-0352 / CVE-2009-0353: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

  - Mozilla developers identified and fixed several     stability bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these crashes     showed evidence of memory corruption under certain     circumstances and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2009-07 / CVE-2009-0772 / CVE-2009-0774)

  - Mozilla security researcher Georgi Guninski reported     that a website could use nsIRDFService and a     cross-domain redirect to steal arbitrary XML data from     another domain, a violation of the same-origin policy.
    This vulnerability could be used by a malicious website     to steal private data from users authenticated to the     redirected website. (MFSA 2009-09 / CVE-2009-0776)

  - Google security researcher Tavis Ormandy reported     several memory safety hazards to the libpng project, an     external library used by Mozilla to render PNG images.
    These vulnerabilities could be used by a malicious     website to crash a victim's browser and potentially     execute arbitrary code on their computer. libpng was     upgraded to version 1.2.35 which containis fixes for     these flaws. (MFSA 2009-10 / CVE-2009-0040)

  - Security researcher Guido Landi discovered that a XSL     stylesheet could be used to crash the browser during a     XSL transformation. An attacker could potentially use     this crash to run arbitrary code on a victim's computer.
    This vulnerability was also previously reported as a     stability problem by Ubuntu community member, Andre.
    Ubuntu community member Michael Rooney reported Andre's     findings to Mozilla, and Mozilla community member Martin     helped reduce Andre's original testcase and contributed     a patch to fix the vulnerability. (MFSA 2009-12 /     CVE-2009-1169)

Versions of Mozilla Thunderbird prior to 2.0.0.21 are affected by the following vulnerabilities :

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)
 - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)
 - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

Versions of Firefox 3.x prior to 3.0.6 are affected by the following security issues : 

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - A chrome XBL method can be used in conjunction with 'window.eval' to execute arbitrary JavaScript within the context of another website, violating the same origin policy. (MFSA 2009-02)
 - A form input control's type could be changed during the restoration of a closed tab to the path of a local file whose location was known to the attacker. (MFSA 2009-03)
 - An attacker may be able to inject arbitrary code into a chrome document and then execute it with chrome privileges if he can trick a user into downloading a malicious HTML file and a .desktop shortcut file. (MFSA 2009-04)
 - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs.  (MFSA 2009-05)
 - The 'Cache-Control:  no-store' and 'Cache-Control:  no-cache' HTTP directives for HTTPS pages are ignored by Firefox 3, which could lead to exposure of sensitive information. (MFSA 2009-06).

The installed version of SeaMonkey is earlier than 1.1.15.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs. (MFSA 2009-05)

  - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)

  - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)

  - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

ID	Name	Product	Family	Published	Updated	Severity
36011	Slackware 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : mozilla-thunderbird (SSA:2009-083-03)	Nessus	Slackware Local Security Checks	3/25/2009	1/14/2021	critical
36318	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2009:083)	Nessus	Mandriva Local Security Checks	4/23/2009	1/6/2021	critical
67797	Oracle Linux 4 : thunderbird (ELSA-2009-0258)	Nessus	Oracle Linux Local Security Checks	7/12/2013	1/14/2021	critical
37911	Fedora 10 : seamonkey-1.1.15-3.fc10 (2009-3161)	Nessus	Fedora Local Security Checks	4/23/2009	1/11/2021	critical
41467	SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 6187)	Nessus	SuSE Local Security Checks	9/24/2009	1/14/2021	critical
4964	Mozilla Thunderbird < 2.0.0.21 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	3/23/2009	3/6/2019	medium
4922	Mozilla Firefox 3.x < 3.0.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	2/4/2009	3/6/2019	medium
4965	SeaMonkey < 1.1.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	3/23/2009	3/6/2019	medium

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

medium

medium

medium