Arch Linux

- ------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#12
- ------------------------------------------------------------

Name: thunderbird
Date: 2007-03-07
Severity: Normal
Warning #: 2007-#12

- ------------------------------------------------------------

Product Background
===================

Standalone Mail/News reader

Problem Background
===================

The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges. (CVE-2007-0008)

The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
certificate. A remote attacker could exploit this to execute arbitrary
code in a server application that uses the NSS library. (CVE-2007-0009)

Various flaws have been reported that could allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening a
malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)

Impact
======
Malicious SSL web site could potentially ( there aren't exploits, at
this moment )
execute arbitrary code with user's privileges

Problem Packages
===================
Package: thunderbird
Repo: current
Group: network
Unsafe: < 1.5.0.10
Safe: >=1.5.0.10

Package Fix
===================

Upgrade Thunderbird to 1.5.0.10 .

Reference(s)
===================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777