-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#12 - ------------------------------------------------------------
Name: thunderbird Date: 2007-03-07 Severity: Normal Warning #: 2007-#12 - ------------------------------------------------------------ Product Background =================== Standalone Mail/News reader Problem Background =================== The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. (CVE-2007-0009) Various flaws have been reported that could allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777) Impact ====== Malicious SSL web site could potentially ( there aren't exploits, at this moment ) execute arbitrary code with user's privileges Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ thunderbird current network <= 1.5.0.10 >=1.5.0.10 Package Fix =================== Upgrade Thunderbird to 1.5.0.10 . Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html where I will summarize all warning. I try to make a place where we, member of community, can talk about these: http://jjdanimoth.netsons.org/flyspray/ Please, give me your feedback on this. Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 Contact ================== JJDaNiMoTh < jjdanimoth AT gmail DOT com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7yR5cJj0HNhER0MRAq7CAKCY0tRAX+yxbgyNlWqg5/oPbOTspgCfeKmo wcu17yAOyBB+InMniajbmU8= =Q1GN -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
