Ubuntu Local Security Checks : Ubuntu USN-1213-1 (thunderbird)

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.70941

Categoría: Ubuntu Local Security Checks

Título: Ubuntu USN-1213-1 (thunderbird)

Resumen: NOSUMMARY

Descripción: Description:
The remote host is missing an update to thunderbird
announced via advisory USN-1213-1.

Details:

Benjamin Smedberg, Bob Clary, Jesse Ruderman, and Josh Aas discovered
multiple memory vulnerabilities in the Gecko rendering engine. An
attacker could use these to possibly execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2011-2995, CVE-2011-2996)

Boris Zbarsky discovered that a frame named location could shadow the
window.location object unless a script in a page grabbed a reference to the
true object before the frame was created. This is in violation of the Same
Origin Policy. A malicious E-Mail could possibly use this to access the
local file system. (CVE-2011-2999)

Mark Kaplan discovered an integer underflow in the SpiderMonkey JavaScript
engine. An attacker could potentially use this to crash Thunderbird.

Ian Graham discovered that when multiple Location headers were present,
Thunderbird would use the second one resulting in a possible CRLF injection
attack. CRLF injection issues can result in a wide variety of attacks, such
as XSS (Cross-Site Scripting) vulnerabilities, browser cache poisoning, and
cookie theft. (CVE-2011-3000)

Mariusz Mlynski discovered that if the user could be convinced to hold down
the enter key, a malicious website or E-Mail could potential pop up a
download dialog and the default open action would be selected. This would
result in potentially malicious content being run with privileges of the
user invoking Thunderbird. (CVE-2011-2372)

Solution:
The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
thunderbird 3.1.15+build1+nobinonly-0ubuntu0.11.04.1

Ubuntu 10.10:
thunderbird 3.1.15+build1+nobinonly-0ubuntu0.10.10.1

Ubuntu 10.04 LTS:
thunderbird 3.1.15+build1+nobinonly-0ubuntu0.10.04.1

http://www.securityspace.com/smysecure/catid.html?in=USN-1213-1

CVSS Score:
10.0

CVSS Vector:
AV:L/AC:L/Au:NR/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-2995
Debian Security Information: DSA-2312 (Google Search)
http://www.debian.org/security/2011/dsa-2312
Debian Security Information: DSA-2313 (Google Search)
http://www.debian.org/security/2011/dsa-2313
Debian Security Information: DSA-2317 (Google Search)
http://www.debian.org/security/2011/dsa-2317
http://www.mandriva.com/security/advisories?name=MDVSA-2011:139
http://www.mandriva.com/security/advisories?name=MDVSA-2011:140
http://www.mandriva.com/security/advisories?name=MDVSA-2011:141
http://www.mandriva.com/security/advisories?name=MDVSA-2011:142
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13957
http://www.redhat.com/support/errata/RHSA-2011-1341.html
http://secunia.com/advisories/46315
SuSE Security Announcement: openSUSE-SU-2011:1076 (Google Search)
http://lists.opensuse.org/opensuse-updates/2011-10/msg00002.html
Common Vulnerability Exposure (CVE) ID: CVE-2011-2996
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14064
SuSE Security Announcement: SUSE-SU-2011:1256 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html
Common Vulnerability Exposure (CVE) ID: CVE-2011-2999
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14252
Common Vulnerability Exposure (CVE) ID: CVE-2011-3000
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14361
Common Vulnerability Exposure (CVE) ID: CVE-2011-2372
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13854

Copyright Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.70941
Categoría:	Ubuntu Local Security Checks
Título:	Ubuntu USN-1213-1 (thunderbird)
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing an update to thunderbird announced via advisory USN-1213-1. Details: Benjamin Smedberg, Bob Clary, Jesse Ruderman, and Josh Aas discovered multiple memory vulnerabilities in the Gecko rendering engine. An attacker could use these to possibly execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2011-2995, CVE-2011-2996) Boris Zbarsky discovered that a frame named location could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. This is in violation of the Same Origin Policy. A malicious E-Mail could possibly use this to access the local file system. (CVE-2011-2999) Mark Kaplan discovered an integer underflow in the SpiderMonkey JavaScript engine. An attacker could potentially use this to crash Thunderbird. Ian Graham discovered that when multiple Location headers were present, Thunderbird would use the second one resulting in a possible CRLF injection attack. CRLF injection issues can result in a wide variety of attacks, such as XSS (Cross-Site Scripting) vulnerabilities, browser cache poisoning, and cookie theft. (CVE-2011-3000) Mariusz Mlynski discovered that if the user could be convinced to hold down the enter key, a malicious website or E-Mail could potential pop up a download dialog and the default open action would be selected. This would result in potentially malicious content being run with privileges of the user invoking Thunderbird. (CVE-2011-2372) Solution: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: thunderbird 3.1.15+build1+nobinonly-0ubuntu0.11.04.1 Ubuntu 10.10: thunderbird 3.1.15+build1+nobinonly-0ubuntu0.10.10.1 Ubuntu 10.04 LTS: thunderbird 3.1.15+build1+nobinonly-0ubuntu0.10.04.1 http://www.securityspace.com/smysecure/catid.html?in=USN-1213-1 CVSS Score: 10.0 CVSS Vector: AV:L/AC:L/Au:NR/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-2995 Debian Security Information: DSA-2312 (Google Search) http://www.debian.org/security/2011/dsa-2312 Debian Security Information: DSA-2313 (Google Search) http://www.debian.org/security/2011/dsa-2313 Debian Security Information: DSA-2317 (Google Search) http://www.debian.org/security/2011/dsa-2317 http://www.mandriva.com/security/advisories?name=MDVSA-2011:139 http://www.mandriva.com/security/advisories?name=MDVSA-2011:140 http://www.mandriva.com/security/advisories?name=MDVSA-2011:141 http://www.mandriva.com/security/advisories?name=MDVSA-2011:142 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13957 http://www.redhat.com/support/errata/RHSA-2011-1341.html http://secunia.com/advisories/46315 SuSE Security Announcement: openSUSE-SU-2011:1076 (Google Search) http://lists.opensuse.org/opensuse-updates/2011-10/msg00002.html Common Vulnerability Exposure (CVE) ID: CVE-2011-2996 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14064 SuSE Security Announcement: SUSE-SU-2011:1256 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html Common Vulnerability Exposure (CVE) ID: CVE-2011-2999 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14252 Common Vulnerability Exposure (CVE) ID: CVE-2011-3000 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14361 Common Vulnerability Exposure (CVE) ID: CVE-2011-2372 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13854
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com