Summary: | <mail-client/mozilla-thunderbird-3.0.4: Multiple Vulnerabilities (CVE-2010-{0173,0182}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | 7v5w7go9ub0o <7v5w7go9ub0o> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | basic, sven.koehler, tomka |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html#thunderbird3.0.4 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
7v5w7go9ub0o
2010-04-03 17:53:15 UTC
Bug report QA messages: * Please use full package qualifiers (e.g. "sys-apps/portage", not just "portage") in bug report titles, at the beginning ideally, in the future. Thank you! Fixed in Thunderbird 3.0.4 MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy MFSA 2010-22 Update NSS to support TLS renegotiation indication MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) Security team please feel free to bring in the archs, All archs please ensure you mark enigmail-1.0.1-r3 stable at same time. Arches, please test and mark stable: =mail-client/mozilla-thunderbird-3.0.4 Everyone, sorry about the bugspam, I'm training our latest recruit. (In reply to comment #4) > Arches, please test and mark stable: > =mail-client/mozilla-thunderbird-3.0.4 I would like to remark, that spell checking doesn't work for me (amd64). I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4 doesn't. (In reply to comment #6) > (In reply to comment #4) > > Arches, please test and mark stable: > > =mail-client/mozilla-thunderbird-3.0.4 > > I would like to remark, that spell checking doesn't work for me (amd64). > I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4 > doesn't. > Open up a seperate bug report with that info and please provide me with an strace from startup to close. Testing on x86: Everything fine for me. ppc64 done ppc done stable x86, thanks Thomas (In reply to comment #3) > Security team please feel free to bring in the archs, All archs please ensure > you mark enigmail-1.0.1-r3 stable at same time. Readding x86 as enigmail is not stabled yet. I did -bin and enigmail. Please note ALL packages to be stabilised in the cc message. amd64 stable alpha/ia64/sparc stable Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore. Bug added to existing Mozilla GLSA request. CVE-2010-0182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0182): The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content. CVE-2010-0173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0173): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |