Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:CentOS Local Security Checks
Title:CentOS Update for thunderbird CESA-2012:1089 centos5
Summary:The remote host is missing an update for the 'thunderbird'; package(s) announced via the referenced advisory.
The remote host is missing an update for the 'thunderbird'
package(s) announced via the referenced advisory.

Vulnerability Insight:
Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-1948,
CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,
CVE-2012-1962, CVE-2012-1967)

Malicious content could bypass same-compartment security wrappers (SCSW)
and execute arbitrary code with chrome privileges. (CVE-2012-1959)

A flaw in the way Thunderbird called history.forward and history.back could
allow an attacker to conceal a malicious URL, possibly tricking a user
into believing they are viewing trusted content. (CVE-2012-1955)

A flaw in a parser utility class used by Thunderbird to parse feeds (such
as RSS) could allow an attacker to execute arbitrary JavaScript with the
privileges of the user running Thunderbird. This issue could have affected
other Thunderbird components or add-ons that assume the class returns
sanitized input. (CVE-2012-1957)

A flaw in the way Thunderbird handled X-Frame-Options headers could allow
malicious content to perform a clickjacking attack. (CVE-2012-1961)

A flaw in the way Content Security Policy (CSP) reports were generated by
Thunderbird could allow malicious content to steal a victim's OAuth 2.0
access tokens and OpenID credentials. (CVE-2012-1963)

A flaw in the way Thunderbird handled certificate warnings could allow a
man-in-the-middle attacker to create a crafted warning, possibly tricking
a user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)

The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6
introduced a mitigation for the CVE-2011-3389 flaw. For compatibility
reasons, it remains disabled by default in the nss packages. This update
makes Thunderbird enable the mitigation by default. It can be disabled by
setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before
launching Thunderbird. (BZ#838879)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill
McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby
Holley, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan
Bhargavan, and Matt McCutchen as the original reporters of these issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for ma ...

Description truncated, please see the referenced URL(s) for more information.

Affected Software/OS:
thunderbird on CentOS 5

Please install the updated packages.

CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-1948
BugTraq ID: 54580
Debian Security Information: DSA-2514 (Google Search)
Debian Security Information: DSA-2528 (Google Search)
RedHat Security Advisories: RHSA-2012:1088
SuSE Security Announcement: SUSE-SU-2012:0895 (Google Search)
SuSE Security Announcement: SUSE-SU-2012:0896 (Google Search)
SuSE Security Announcement: openSUSE-SU-2012:0899 (Google Search)
SuSE Security Announcement: openSUSE-SU-2012:0917 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2012-1951
BugTraq ID: 54578
Common Vulnerability Exposure (CVE) ID: CVE-2012-1952
Common Vulnerability Exposure (CVE) ID: CVE-2012-1953
Common Vulnerability Exposure (CVE) ID: CVE-2012-1954
Common Vulnerability Exposure (CVE) ID: CVE-2012-1955
BugTraq ID: 54586
Common Vulnerability Exposure (CVE) ID: CVE-2012-1957
BugTraq ID: 54583
Common Vulnerability Exposure (CVE) ID: CVE-2012-1958
BugTraq ID: 54574
Common Vulnerability Exposure (CVE) ID: CVE-2012-1959
BugTraq ID: 54576
Common Vulnerability Exposure (CVE) ID: CVE-2012-1961
BugTraq ID: 54584
Common Vulnerability Exposure (CVE) ID: CVE-2012-1962
BugTraq ID: 54575
Common Vulnerability Exposure (CVE) ID: CVE-2012-1963
BugTraq ID: 54582
Common Vulnerability Exposure (CVE) ID: CVE-2012-1964
BugTraq ID: 54581
Common Vulnerability Exposure (CVE) ID: CVE-2012-1967
BugTraq ID: 54573
Common Vulnerability Exposure (CVE) ID: CVE-2011-3389
BugTraq ID: 49388
BugTraq ID: 49778
Cert/CC Advisory: TA12-010A
CERT/CC vulnerability note: VU#864643
Debian Security Information: DSA-2398 (Google Search)
HPdes Security Advisory: HPSBMU02742
HPdes Security Advisory: HPSBMU02797
HPdes Security Advisory: HPSBMU02799
HPdes Security Advisory: HPSBMU02900
HPdes Security Advisory: HPSBUX02730
HPdes Security Advisory: HPSBUX02760
HPdes Security Advisory: HPSBUX02777
HPdes Security Advisory: SSRT100710
HPdes Security Advisory: SSRT100740
HPdes Security Advisory: SSRT100805
HPdes Security Advisory: SSRT100854
HPdes Security Advisory: SSRT100867
Microsoft Security Bulletin: MS12-006
RedHat Security Advisories: RHSA-2012:0508
RedHat Security Advisories: RHSA-2013:1455
SuSE Security Announcement: SUSE-SU-2012:0114 (Google Search)
SuSE Security Announcement: SUSE-SU-2012:0122 (Google Search)
SuSE Security Announcement: SUSE-SU-2012:0602 (Google Search)
SuSE Security Announcement: openSUSE-SU-2012:0030 (Google Search)
SuSE Security Announcement: openSUSE-SU-2012:0063 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:0086 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2012-1949
CopyrightCopyright (c) 2012 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2022 E-Soft Inc. All rights reserved.