Mozilla has released a new version of Mozilla Thunderbird that corrects serious and critical vulnerabilities in that product. Red Hat has issued advisory RHSA-2006:0330-01 <http://rhn.redhat.com/errata/RHSA-2006-0330.html>. With that advisory, Red Hat has released thunderbird-1.0.8-1.4.1. Here is the Problem Description from that advisory: "Several bugs were found in the way Thunderbird processes malformed javascript. A malicious HTML mail message could modify the content of a different open HTML mail message, possibly stealing sensitive information or conducting a cross-site scripting attack. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) "Several bugs were found in the way Thunderbird processes certain javascript actions. A malicious HTML mail message could execute arbitrary javascript instructions with the permissions of 'chrome', allowing the page to steal sensitive information or install browser malware. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) "Several bugs were found in the way Thunderbird processes malformed HTML mail messages. A carefully crafted malicious HTML mail message could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) "A bug was found in the way Thunderbird processes certain inline content in HTML mail messages. It may be possible for a remote attacker to send a carefully crafted mail message to the victim, which will fetch remote content, even if Thunderbird is configured not to fetch remote content. (CVE-2006-1045) "Users of Thunderbird are advised to upgrade to this updated package containing Thunderbird version 1.0.8, which is not vulnerable to these issues."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated mozilla Thunderbird package to QA for FC3: 1aa9684f679b29eef1848d517a803c8606db1210__thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm http://turbosphere.fedoralegacy.org/logs/fedora-3-core/100-thunderbird-1.0.8-1.1.fc3.2.legacy/thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm Changelog: * Fri Apr 28 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.2.legacy - - Add buildrequires - desktop-file-utils * Tue Apr 25 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.1.legacy - - Portions of the firefox-1.0-gcc4-compile.patch are already applied in the src tarball. Remove those so remainder of patch will apply. * Tue Apr 25 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.legacy - - Update to 1.0.8, containing fixes for: CVE-2006-1731, CVE-2006-1732, CVE-2006-1741, CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790, CVE-2006-1045 Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFEUx2axou1V/j9XZwRAhS2AJ96lgMLDd8U9tOFJl3s4gsjprLxBQCeNYZp DaP02Sivfxvnr2y4eUT0wGo= =ESxA -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal [*] - no patch changes except OK removal. [*] as this is the first time this package is being built in mock, please make sure you run appropriate rpm-build-compare.sh (e.g., ldd) or similar stuff on the binaries to make sure all the buildrequires stuff that was in the previous version was properly included. +PUBLISH FC3 1aa9684f679b29eef1848d517a803c8606db1210 thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEV6vLGHbTkzxSL7QRAg+9AJ4z7P1mkbKeOa2BWStwPPa4pDxvDACgtazA mMU7kFqGOZCeZKdqrJGFakg= =ulPZ -----END PGP SIGNATURE-----
Thanks, Pekka! :)
Pekka, I wish to thank you very much for your advice to check the rpm-build-compare.sh of the binary packages. There were indeed many, many missing BuildRequires. I am building (what I hope is now) the last incarnation of Mozilla Thunderbird so we can push it to updates-testing... Thanks again! I appreciate your eagle-eye and your sharp mind!
Created attachment 129317 [details] Proposed Test Update Notification for thunderbird-1.0.8 Enclosed is proposed updates-testing notification to go to fedora-legacy-list once pkgs are signed with the Legacy key and their SHA1-sums have been determined. I believe the thunderbird packages are ready to be pushed to updates-testing. Current packages to look at (signed with my own key) are here: SRPM: http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/thunderbird-1.0.8-1.1.fc3.4.legacy.src.rpm i386: http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/i386/thunderbird-1.0.8-1.1.fc3.4.legacy.i386.rpm x86_64: http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/x86_64/thunderbird-1.0.8-1.1.fc3.4.legacy.x86_64.rpm Thanks.
Packages were pushed to updates-testing
Timeout in 2 weeks.
Timeout over.
Created attachment 130899 [details] Proposed Update advisory Attached is a proposed update advisory for Thunderbird.
Packages were released to updates.
Thanks, Marc! :)