| Beschreibung: | Description:
The remote host is missing updates announced in
advisory RHSA-2010:0896.
Mozilla Thunderbird is a standalone mail and newsgroup client.
A race condition flaw was found in the way Thunderbird handled Document
Object Model (DOM) element properties. An HTML mail message containing
malicious content could cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2010-3765)
Several flaws were found in the processing of malformed HTML mail content.
An HTML mail message containing malicious content could cause Thunderbird
to crash or, potentially, execute arbitrary code with the privileges of the
user running Thunderbird. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179,
CVE-2010-3180, CVE-2010-3183)
A same-origin policy bypass flaw was found in Thunderbird. Remote HTML
content could steal private data from different remote HTML content
Thunderbird had loaded. (CVE-2010-3178)
Note: JavaScript support is disabled by default in Thunderbird. The above
issues are not exploitable unless JavaScript is enabled.
A flaw was found in the script that launches Thunderbird. The
LD_LIBRARY_PATH variable was appending a . character, which could allow a
local attacker to execute arbitrary code with the privileges of a different
user running Thunderbird, if that user ran Thunderbird from within an
attacker-controlled directory. (CVE-2010-3182)
All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2010-0896.html
http://www.redhat.com/security/updates/classification/#moderate
Risk factor : Critical
CVSS Score:
9.3
|
