Security
SHARE
Facebook X Pinterest WhatsApp

Advisories, January 2, 2007

Written By
thumbnail
Web Webster
Web Webster
Jan 3, 2007

Fedora Core

Fedora Update Notification
FEDORA-2006-004
2007-01-02

Product : Fedora Core 5
Name : thunderbird
Version : 1.5.0.9
Release : 2.fc5
Summary : Mozilla Thunderbird mail/newsgroup client

Description :
Mozilla Thunderbird is a standalone mail and newsgroup client.

Update Information:

Mozilla Thunderbird is a standalone mail and newsgroup
client.

Several flaws were found in the way Thunderbird processes
certain malformed JavaScript code. A malicious web page could cause
the execution of JavaScript code in such a way that could cause
Thunderbird to crash or execute arbitrary code as the user running
Thunderbird. JavaScript support is disabled by default in
Thunderbird; this issue is not exploitable without enabling
JavaScript. (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6503, CVE-2006-6504)

Several flaws were found in the way Thunderbird renders web
pages. A malicious web page could cause the browser to crash or
possibly execute arbitrary code as the user running Thunderbird.
(CVE-2006-6497)

A heap based buffer overflow flaw was found in the way
Thunderbird parses the Content-Type mail header. A malicious mail
message could cause the Thunderbird client to crash or possibly
execute arbitrary code as the user running Thunderbird.
(CVE-2006-6505)

Users of Thunderbird are advised to apply this update, which
contains Thunderbird version 1.5.0.9 that corrects these
issues.

  • Tue Dec 19 2006 Matthias Clasen <mclasen@redhat.com>
    1.5.0.9-2
    • Add a Requires: launchmail (#219884)
  • Tue Dec 19 2006 Christopher Aillon <caillon@redhat.com>
    1.5.0.9-1
    • Update to 1.5.0.9
    • Take firefox’s pango fixes
    • Don’t offer to import…nothing.
  • Tue Nov 7 2006 Christopher Aillon <caillon@redhat.com>
    1.5.0.8-1
    • Update to 1.5.0.8
    • Allow choosing of download directory
    • Take the user to the correct directory from the Download
      Manager.
    • Patch to add support for printing via pango from Behdad.
  • Sun Oct 8 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.7-4
    • Default to use of system colors
  • Wed Oct 4 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.7-3
    • Bring the invisible character to parity with GTK+
  • Wed Sep 27 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.7-2
    • Fix crash when changing gtk key theme
    • Prevent UI freezes while changing GNOME theme
    • Remove verbiage about pango; no longer required by
      upstream.
  • Wed Sep 13 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.7-1
    • Update to 1.5.0.7
  • Thu Sep 7 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.5-8
    • Shuffle order of the install phase around
  • Thu Sep 7 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.5-7
    • Let there be art for Alt+Tab again
    • s/tbdir/mozappdir/g
  • Wed Sep 6 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.5-6
    • Fix for cursor position in editor widgets by tagoh and behdad
      (#198759)
  • Tue Sep 5 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.5-5
    • Update nopangoxft.patch
    • Fix rendering of MathML thanks to Behdad Esfahbod.
    • Update start page text to reflect the MathML fixes.
    • Enable pango by default on all locales
    • Build using -rpath
    • Re-enable GCC visibility
  • Thu Aug 3 2006 Kai Engert <kengert@redhat.com> – 1.5.0.5-4
    • Fix a build failure in mailnews mime code.
  • Tue Aug 1 2006 Matthias Clasen <mclasen@redhat.com> –
    1.5.0.5-3
    • Rebuild
  • Thu Jul 27 2006 Christopher Aillon <caillon@redhat.com> –
    1.5.0.5-2
    • Update to 1.5.0.5
  • Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> – 1.5.0.4-2.1
    • rebuild
  • Mon Jun 12 2006 Kai Engert <kengert@redhat.com> – 1.5.0.4-2
    • Update to 1.5.0.4
    • Fix desktop-file-utils requires

This update can be downloaded from:


http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/

d4f33e774063d935dca0c06e9c54b6e09021a126
SRPMS/thunderbird-1.5.0.9-2.fc5.src.rpm
d4f33e774063d935dca0c06e9c54b6e09021a126
noarch/thunderbird-1.5.0.9-2.fc5.src.rpm
e201f238ae5b6c03b7a03776f0e24d4420389dcd
ppc/debug/thunderbird-debuginfo-1.5.0.9-2.fc5.ppc.rpm
65f263d0713d4700c929a5420b6148688b0c2634
ppc/thunderbird-1.5.0.9-2.fc5.ppc.rpm
075baee3cd3823bb3415d24a3a7f3d5b6b5742f7
x86_64/thunderbird-1.5.0.9-2.fc5.x86_64.rpm
68a8644f2ba6ad5af6e425aabfb7f1601936161e
x86_64/debug/thunderbird-debuginfo-1.5.0.9-2.fc5.x86_64.rpm
210aad8474c210385462ef9b68c1b6f841a63163
i386/debug/thunderbird-debuginfo-1.5.0.9-2.fc5.i386.rpm
643faacd27e83ec8676d3054af85479bed335913
i386/thunderbird-1.5.0.9-2.fc5.i386.rpm

This update can be installed with the ‘yum’ update program. Use
‘yum update package-name’ at the command line. For more
information, refer to ‘Managing Software with yum,’ available at
http://fedora.redhat.com/docs/yum/.

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2007:001
http://www.mandriva.com/security/

Package : libmodplug
Date : January 2, 2007
Affected: 2007.0

Problem Description:

Multiple buffer overflows in MODPlug Tracker (OpenMPT)
1.17.02.43 and earlier and libmodplug 0.8 and earlier allow
user-assisted remote attackers to execute arbitrary code via (1)
long strings in ITP files used by the CSoundFile::ReadITProject
function in soundlib/Load_it.cpp and (2) crafted modules used by
the CSoundFile::ReadSample function in soundlib/Sndfile.cpp, as
demonstrated by crafted AMF files.

Updated packages are patched to address this issue.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4192

Updated Packages:

Mandriva Linux 2007.0:
c710c50a92587abd6f55078af2da22e7
2007.0/i586/libmodplug0-0.7-7.1mdv2007.0.i586.rpm
4cf79b5be35cdf2e4d22af922140d32e
2007.0/i586/libmodplug0-devel-0.7-7.1mdv2007.0.i586.rpm
68181a6907f78b10d3b0c379ca3fd76b
2007.0/SRPMS/libmodplug-0.7-7.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
fe5b2a2b546f98922a124b4f52cbf202
2007.0/x86_64/lib64modplug0-0.7-7.1mdv2007.0.x86_64.rpm
2b10aaf2fefcaef82512b42910d88408
2007.0/x86_64/lib64modplug0-devel-0.7-7.1mdv2007.0.x86_64.rpm
68181a6907f78b10d3b0c379ca3fd76b
2007.0/SRPMS/libmodplug-0.7-7.1mdv2007.0.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Mandriva Linux Security Advisory MDKSA-2007:002
http://www.mandriva.com/security/

Package : kernel
Date : January 2, 2007
Affected: 2007.0

Problem Description:

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The Linux kernel does not properly save or restore EFLAGS during
a context switch, or reset the flags when creating new threads,
which could allow a local user to cause a Denial of Service
(process crash) (CVE-2006-5173).

The seqfile handling in the 2.6 kernel up to 2.6.18 allows local
users to cause a DoS (hang or oops) via unspecified manipulations
that trigger an infinite loop while searching for flowlabels
(CVE-2006-5619).

An integer overflow in the 2.6 kernel prior to 2.6.18.4 could
allow a local user to execute arbitrary code via a large maxnum
value in an ioctl request (CVE-2006-5751).

A race condition in the ISO9660 filesystem handling could allow
a local user to cause a DoS (infinite loop) by mounting a crafted
ISO9660 filesystem containing malformed data structures
(CVE-2006-5757).

A vulnerability in the bluetooth support could allow for
overwriting internal CMTP and CAPI data structures via malformed
packets (CVE-2006-6106).

The provided packages are patched to fix these vulnerabilities.
All users are encouraged to upgrade to these updated kernels
immediately and reboot to effect the fixes.

In addition to these security fixes, other fixes have been
included such as:

  • added the marvell IDE driver – use a specific driver Jmicron
    chipsets rather than using a generic one – updated the sky2 driver
    to fix some network hang issues

To update your kernel, please follow the directions located
at:

http://www.mandriva.com/en/security/kernelupdate

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5173

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5757

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106

Updated Packages:

Mandriva Linux 2007.0:
7eba457234782c9f83c47cd26be3de80
2007.0/i586/kernel-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
80f104e8ff3081e7e868e3482f50fd81
2007.0/i586/kernel-enterprise-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
72964c8645531460b742f9e54d118488
2007.0/i586/kernel-legacy-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
bc52255a4290284600dfc0e97e5797cd
2007.0/i586/kernel-source-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
fbfc24233bf616eab08b247194210fe7
2007.0/i586/kernel-source-stripped-2.6.17.8mdv-1-1mdv2007.0.i586.rpm

e30ec4041c80756ab8e004b6335337cd
2007.0/i586/kernel-xen0-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
4da4e24805a2a2301bf7f97f6e0fb974
2007.0/i586/kernel-xenU-2.6.17.8mdv-1-1mdv2007.0.i586.rpm
0cb62354da7ae0bd1dd6b851bedd9496
2007.0/SRPMS/kernel-2.6.17.8mdv-1-1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
c2aca75ee9ca338eb178e51fec0867fc
2007.0/x86_64/evince-0.6.0-1.1mdv2007.0.x86_64.rpm
d4c8250e75b57b227b308e2a975ae13c
2007.0/x86_64/kernel-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm
3cb5a059bc3d352da95fb285f2c31f80
2007.0/x86_64/kernel-source-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm
9ff265225b8624a083058b5ec16174c2
2007.0/x86_64/kernel-source-stripped-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm

23ba072d883bac51179e42df654aba79
2007.0/x86_64/kernel-xen0-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm
268ac512e41476f1e0df9d94299c317b
2007.0/x86_64/kernel-xenU-2.6.17.8mdv-1-1mdv2007.0.x86_64.rpm
0cb62354da7ae0bd1dd6b851bedd9496
2007.0/SRPMS/kernel-2.6.17.8mdv-1-1mdv2007.0.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

rPath Linux

rPath Security Advisory: 2006-0234-2
Published: 2006-12-22
Updated:

2007-01-02 Added thunderbird to advisory Products: rPath Linux
1
Rating: Severe
Exposure Level Classification: Indirect User Deterministic
Unauthorized Access
Updated Versions:
firefox=/conary.rpath.com@rpl:devel//1/1.5.0.9-0.1-1
thunderbird=/conary.rpath.com@rpl:devel//1/1.5.0.9-0.1-1

References:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6497

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6498

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6501

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6502

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6503

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6504

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6505

https://issues.rpath.com/browse/RPL-883

Description:

Previous versions of the firefox package are vulnerable to
multiple types of attacks, including one that enables an attacker
to run arbitrary attacker-provided executable code if JavaScript is
enabled.

29 December 2006 Update: The thunderbird package has also been
updated to address the same vulnerabilities.

thumbnail
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Recommended for you...

Blog
A Thorough Approach to Improve the Privacy and Security of Your Linux PC
Damien
Oct 24, 2024
Blog
Several Russian Maintainers Removed From Linux Kernel Due To Compliance Concerns
Senthil Kumar
Oct 23, 2024
Blog
OpenSSH Splits Again: New Authentication Binary Unveiled
Bobby Borisov
Oct 16, 2024
Blog
13 Best Free and Open Source Anti-Malware Tools
webmaster
Oct 14, 2024
Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

facebook
linkedin
x

Company

Contact us

Categories

News IT Management Infrastructure Developer Security High Performance Storage Blog

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information