Ubuntu Security Notice USN-431-1

6th March, 2007

mozilla-thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 6.10
• Ubuntu 6.06 LTS
• Ubuntu 5.10

Details

The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges. (CVE-2007-0008)

The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
certificate. A remote attacker could exploit this to execute arbitrary
code in a server application that uses the NSS library. (CVE-2007-0009)

Various flaws have been reported that could allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening a
malicious web page. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 6.10:

mozilla-thunderbird 1.5.0.10-0ubuntu0.6.10

Ubuntu 6.06 LTS:

mozilla-thunderbird 1.5.0.10-0ubuntu0.6.06

Ubuntu 5.10:

mozilla-thunderbird 1.5.0.10-0ubuntu0.5.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

References

CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777