Test ID:	1.3.6.1.4.1.25623.1.0.841761
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-2151-1)
Summary:	The remote host is missing an update for the 'thunderbird' package(s) announced via the USN-2151-1 advisory.
Description:	Summary: The remote host is missing an update for the 'thunderbird' package(s) announced via the USN-2151-1 advisory. Vulnerability Insight: Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman and Christoph Diehl discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1493) Atte Kettunen discovered an out-of-bounds read during WAV file decoding. If a user had enabled audio, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2014-1497) Robert O'Callahan discovered a mechanism for timing attacks involving SVG filters and displacements input to feDisplacementMap. If a user had enabled scripting, an attacker could potentially exploit this to steal confidential information across domains. (CVE-2014-1505) Tyson Smith and Jesse Schwartzentruber discovered an out-of-bounds read during polygon rendering in MathML. If a user had enabled scripting, an attacker could potentially exploit this to steal confidential information across domains. (CVE-2014-1508) John Thomson discovered a memory corruption bug in the Cairo graphics library. If a user had a malicious extension installed, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1509) Mariusz Mlynski discovered that web content could open a chrome privileged page and bypass the popup blocker in some circumstances. If a user had enabled scripting, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1510, CVE-2014-1511) It was discovered that memory pressure during garbage collection resulted in memory corruption in some circumstances. If a user had enabled scripting, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1512) Juri Aedla discovered out-of-bounds reads and writes with TypedArrayObject in some circumstances. If a user had enabled scripting, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1513) George Hotz discovered an out-of-bounds write with TypedArrayObject. If a user had enabled scripting, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1514) Affected Software/OS: 'thunderbird' package(s) on Ubuntu 12.04, Ubuntu 12.10, Ubuntu 13.10. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1493 BugTraq ID: 66412 http://www.securityfocus.com/bid/66412 Debian Security Information: DSA-2881 (Google Search) http://www.debian.org/security/2014/dsa-2881 Debian Security Information: DSA-2911 (Google Search) http://www.debian.org/security/2014/dsa-2911 https://security.gentoo.org/glsa/201504-01 RedHat Security Advisories: RHSA-2014:0310 http://rhn.redhat.com/errata/RHSA-2014-0310.html RedHat Security Advisories: RHSA-2014:0316 http://rhn.redhat.com/errata/RHSA-2014-0316.html SuSE Security Announcement: SUSE-SU-2014:0418 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00016.html SuSE Security Announcement: openSUSE-SU-2014:0419 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html SuSE Security Announcement: openSUSE-SU-2014:0448 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00022.html SuSE Security Announcement: openSUSE-SU-2014:0584 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00016.html http://www.ubuntu.com/usn/USN-2151-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-1497 BugTraq ID: 66423 http://www.securityfocus.com/bid/66423 Common Vulnerability Exposure (CVE) ID: CVE-2014-1505 BugTraq ID: 66418 http://www.securityfocus.com/bid/66418 Common Vulnerability Exposure (CVE) ID: CVE-2014-1508 BugTraq ID: 66426 http://www.securityfocus.com/bid/66426 Common Vulnerability Exposure (CVE) ID: CVE-2014-1509 BugTraq ID: 66425 http://www.securityfocus.com/bid/66425 Common Vulnerability Exposure (CVE) ID: CVE-2014-1510 BugTraq ID: 66206 http://www.securityfocus.com/bid/66206 Common Vulnerability Exposure (CVE) ID: CVE-2014-1511 BugTraq ID: 66207 http://www.securityfocus.com/bid/66207 Common Vulnerability Exposure (CVE) ID: CVE-2014-1512 BugTraq ID: 66209 http://www.securityfocus.com/bid/66209 Bugtraq: 20140326 VUPEN Security Research - Mozilla Firefox "BumpChunk" Object Processing Use-after-free (Pwn2Own) (Google Search) http://archives.neohapsis.com/archives/bugtraq/2014-03/0145.html Common Vulnerability Exposure (CVE) ID: CVE-2014-1513 BugTraq ID: 66203 http://www.securityfocus.com/bid/66203 Common Vulnerability Exposure (CVE) ID: CVE-2014-1514 BugTraq ID: 66240 http://www.securityfocus.com/bid/66240
Copyright	Copyright (C) 2014 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.