Ubuntu Security Notice 3529-1 - It was discovered that a From address encoded with a null character is cut off in the message header display. An attacker could potentially exploit this to spoof the sender address. It was discovered that it is possible to execute JavaScript in RSS feeds in some circumstances. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this in combination with another vulnerability, in order to cause unspecified problems. Various other issues were also addressed.
718720eddc43ffd427e0bb22018bf540e10c1d9368bd32c4736cf3bca8bf3ad0
==========================
==========================
========================
Ubuntu Security Notice USN-3529-1
January 29, 2018
thunderbird vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
It was discovered that a From address encoded with a null character is
cut off in the message header display. An attacker could potentially
exploit this to spoof the sender address. (CVE-2017-7829)
It was discovered that it is possible to execute JavaScript in RSS feeds
in some circumstances. If a user were tricked in to opening a specially
crafted RSS feed, an attacker could potentially exploit this in
combination with another vulnerability, in order to cause unspecified
problems. (CVE-2017-7846)
It was discovered that the RSS feed can leak local path names. If a user
were tricked in to opening a specially crafted RSS feed, an attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-7847)
It was discovered that RSS feeds are vulnerable to new line injection. If=
a user were tricked in to opening a specially crafted RSS feed, an
attacker could potentially exploit this to cause unspecified problems.
(CVE-2017-7848)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,=
execute arbitrary code, or cause other unspecified effects.
(CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5013, CVE-2018-5104=
,
CVE-2018-5117)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
thunderbird 1:52.6.0+build1-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
thunderbird 1:52.6.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
thunderbird 1:52.6.0+build1-0ubuntu0.14.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3529-1
CVE-2017-7829, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848,
CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103,
CVE-2018-5104, CVE-2018-5117
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:52.6.0+build1-0ubunt=
u0.17.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:52.6.0+build1-0ubunt=
u0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:52.6.0+build1-0ubunt=
u0.14.04.1
--ueLzOtTCMhsBPcnfSkDYig35k8hNumMiB--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed