Otklonjen je niz sigurnosnih propusta otkrivenih u radu programskog paketa Mozilla Thunderbird. Udaljeni ih napadači mogu iskoristiti za zaobilaženje postavljenih ograničenja, izvođenje DoS i XSS napada, te pokretanje proizvoljnog programskog koda.
Paket:
thunderbird 11.x
Operacijski sustavi:
openSUSE 11.4, openSUSE 12.1
Kritičnost:
8.7
Problem:
pogreška u programskoj funkciji, pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
proizvoljno izvršavanje programskog koda, umetanje HTML i skriptnog koda, uskraćivanje usluga (DoS), zaobilaženje postavljenih ograničenja
Propusti su posljedica višestrukih nespecificiranih ranjivosti u mehanizmu za pretraživanje, pogrešaka u funkcijama "nsSMILTimeValueSpec::IsEventBased", "nsDocument::AdoptNode", "ElementAnimations::EnsureStyleRuleFor", "nsGlobalWindow::PageHidden", itd. Za uvid u sve propuste savjetuje se pregled izvorne preporuke.
Posljedica:
Napadaču ranjivosti omogućuju DoS i XSS napad, zaobilaženje sigurnosnih ograničenja i izvršavanje proizvoljnog programskog koda.
Rješenje:
Svim se korisnicima savjetuje instalacija nadogradnje.
openSUSE Security Update: MozillaThunderbird: update to Thunderbird 14.0
______________________________________________________________________________
Announcement ID: openSUSE-SU-2012:0917-1
Rating: important
References: #771583
Affected Products:
openSUSE 12.1
openSUSE 11.4
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
Mozilla Thunderbird was updated to version 14.0 (bnc#771583)
* MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 Miscellaneous
memory safety hazards
* MFSA
2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1
952 Gecko memory corruption
* MFSA 2012-45/CVE-2012-1955 (bmo#757376) Spoofing issue
with location
* MFSA 2012-47/CVE-2012-1957 (bmo#750096) Improper
filtering of javascript in HTML feed-view
* MFSA 2012-48/CVE-2012-1958 (bmo#750820) use-after-free
in nsGlobalWindow::PageHidden
* MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
Same-compartment Security Wrappers can be bypassed
* MFSA 2012-50/CVE-2012-1960 (bmo#761014) Out of bounds
read in QCMS
* MFSA 2012-51/CVE-2012-1961 (bmo#761655) X-Frame-Options
header ignored when duplicated
* MFSA 2012-52/CVE-2012-1962 (bmo#764296)
JSDependentString::undepend string conversion results
in memory corruption
* MFSA 2012-53/CVE-2012-1963 (bmo#767778) Content
Security Policy 1.0 implementation errors cause data
leakage
* MFSA 2012-56/CVE-2012-1967 (bmo#758344) Code execution
through javascript: URLs
* relicensed to MPL-2.0
- update Enigmail to 1.4.3
- no crashreport on %arm, fixing build
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 12.1:
zypper in -t patch openSUSE-2012-443
- openSUSE 11.4:
zypper in -t patch openSUSE-2012-443
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 12.1 (x86_64):
MozillaThunderbird-14.0-33.26.1
MozillaThunderbird-buildsymbols-14.0-33.26.1
MozillaThunderbird-debuginfo-14.0-33.26.1
MozillaThunderbird-debugsource-14.0-33.26.1
MozillaThunderbird-devel-14.0-33.26.1
MozillaThunderbird-devel-debuginfo-14.0-33.26.1
MozillaThunderbird-translations-common-14.0-33.26.1
MozillaThunderbird-translations-other-14.0-33.26.1
enigmail-1.4.3+14.0-33.26.1
enigmail-debuginfo-1.4.3+14.0-33.26.1
- openSUSE 12.1 (i586):
MozillaThunderbird-14.0-33.26.2
MozillaThunderbird-buildsymbols-14.0-33.26.2
MozillaThunderbird-debuginfo-14.0-33.26.2
MozillaThunderbird-debugsource-14.0-33.26.2
MozillaThunderbird-devel-14.0-33.26.2
MozillaThunderbird-devel-debuginfo-14.0-33.26.2
MozillaThunderbird-translations-common-14.0-33.26.2
MozillaThunderbird-translations-other-14.0-33.26.2
enigmail-1.4.3+14.0-33.26.2
enigmail-debuginfo-1.4.3+14.0-33.26.2
- openSUSE 11.4 (x86_64):
MozillaThunderbird-14.0-24.1
MozillaThunderbird-buildsymbols-14.0-24.1
MozillaThunderbird-debuginfo-14.0-24.1
MozillaThunderbird-debugsource-14.0-24.1
MozillaThunderbird-devel-14.0-24.1
MozillaThunderbird-devel-debuginfo-14.0-24.1
MozillaThunderbird-translations-common-14.0-24.1
MozillaThunderbird-translations-other-14.0-24.1
enigmail-1.4.3+14.0-24.1
enigmail-debuginfo-1.4.3+14.0-24.1
- openSUSE 11.4 (i586):
MozillaThunderbird-14.0-24.2
MozillaThunderbird-buildsymbols-14.0-24.2
MozillaThunderbird-debuginfo-14.0-24.2
MozillaThunderbird-debugsource-14.0-24.2
MozillaThunderbird-devel-14.0-24.2
MozillaThunderbird-devel-debuginfo-14.0-24.2
MozillaThunderbird-translations-common-14.0-24.2
MozillaThunderbird-translations-other-14.0-24.2
enigmail-1.4.3+14.0-24.2
enigmail-debuginfo-1.4.3+14.0-24.2
References:
https://bugzilla.novell.com/771583
--
To unsubscribe, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
For additional commands, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke