Nacionalni CERT

Sigurnosni nedostaci programskog paketa thunderbird

<p>==========================================================================<br />Ubuntu Security Notice USN-3436-1<br />October 11, 2017<br /><br />thunderbird vulnerabilities<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 17.04<br />- Ubuntu 16.04 LTS<br />- Ubuntu 14.04 LTS<br /><br />Summary:<br /><br />Several security issues were fixed in Thunderbird.<br /><br />Software Description:<br />- thunderbird: Mozilla Open Source mail and newsgroup client<br /><br />Details:<br /><br />Multiple security issues were discovered in Thunderbird. If a user were<br />tricked in to opening a specially crafted website in a browsing-like<br />context, an attacker could potentially exploit these to read uninitialized<br />memory, bypass phishing and malware protection, conduct cross-site<br />scripting (XSS) attacks, cause a denial of service via application crash,<br />or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,<br />CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)<br /><br />Martin Thomson discovered that NSS incorrectly generated handshake hashes.<br />A remote attacker could potentially exploit this to cause a denial of<br />service via application crash, or execute arbitrary code. (CVE-2017-7805)<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 17.04:<br /> thunderbird 1:52.4.0+build1-0ubuntu0.17.04.2<br /><br />Ubuntu 16.04 LTS:<br /> thunderbird 1:52.4.0+build1-0ubuntu0.16.04.2<br /><br />Ubuntu 14.04 LTS:<br /> thunderbird 1:52.4.0+build1-0ubuntu0.14.04.2<br /><br />After a standard system update you need to restart Thunderbird to make<br />all the necessary changes.<br /><br />References:<br /> https://www.ubuntu.com/usn/usn-3436-1<br /> CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7814,<br /> CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824<br /><br />Package Information:<br /><br />https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu... /><br />https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu... /><br />https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu... /><br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQEcBAEBCAAGBQJZ3fJ4AAoJEGEfvezVlG4PFBEH/ifzxdtra21hWrtBBWlCQAb2<br />39ELMVcfj+UJxhtagbrLi2PmXwGNIqxuRP0nLriWAt8Q9CFo/N/Ky9mUUk3ZR4gr<br />44avd+UiCwHoP1iwuOFjJpKwkjsgl4nVkM3I7dm/KQJl3ebOu5ZYNsiEkPxXUOHn<br />ilLvHeMaeNKT+YGKI3IcJ8JgJ+CUruMlU555Eo85/KP6lHwlTYRM/5AHT6rDPB0C<br />CH9G/vyDR6b4cvBrkxHrlN9LQqMkIGWNq9X5R7WyEh3GaiM4qkstgXRaPUOe/SKg<br />0fhZfxB4z3cpQ6mGRETKyKsJM2G1Ypb/JYhstQVciVgW7hC3Fofv42xspTMHiZA=<br />=aPPF<br />-----END PGP SIGNATURE-----<br />--</p>
Otkriveni su sigurnosni nedostaci u programskom paketu thunderbird za operacijski sustav Ubuntu. Otkriveni nedostaci potencijalnim napadačima omogućuju otkrivanje informacija, zaobilaženje sigurnosnih ograničenja, izvođenje napada uskraćivanja usluge te XSS napada ili izvršavanje proizvoljnog programskog koda. Savjetuje se ažuriranje izdanim zakrpama.