| Description: | Description:
The remote host is missing an update to mozilla-thunderbird
announced via advisory MDVSA-2011:080.
Security issues were identified and fixed in mozilla-thunderbird:
Security researcher Soroush Dalili reported that the resource:
protocol could be exploited to allow directory traversal on
Windows and the potential loading of resources from non-permitted
locations. The impact would depend on whether interesting files
existed in predictable locations in a useful format. For example,
the existence or non-existence of particular images might indicate
whether certain software was installed (CVE-2011-0071).
Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2011-0081,
CVE-2011-0069, CVE-2011-0070, CVE-2011-0080, CVE-2011-0074,
CVE-2011-0075, CVE-2011-0077, CVE-2011-0078, CVE-2011-0072).
The mozilla-thunderbird-lightning package shipped with MDVSA-2011:042
had a packaging bug that prevented extension to be loaded (#59951).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
Additionally, some packages which require so, have been rebuilt and
are being provided as updates.
Affected: 2009.0, 2010.0, 2010.1
Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2011:080
http://www.mozillamessaging.com/en-US/thunderbird/3.1.10/releasenotes/
Risk factor : Critical
CVSS Score:
10.0
|
