2.0.0.23 is available

Bug #416646 reported by Jamie Strandboge on 2009-08-20
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Undecided
Alexander Sack

Bug Description

Binary package hint: thunderbird

This is simply for our USN database since there are no applicable CVEs for 2.0.0.23.

CVE References

Changed in thunderbird (Ubuntu):
assignee: nobody → Alexander Sack (asac)
status: New → Fix Committed
security vulnerability: no → yes
Jamie Strandboge (jdstrand) wrote :
Changed in thunderbird (Ubuntu):
status: Fix Committed → Fix Released
Fumihito YOSHIDA (hito) wrote :

hi Jamie,

USN-817-1 is really so?
| Several flaws were discovered in the rendering engine of Thunderbird.
| If Javascript were enabled, an attacker could exploit these flaws to crash Thunderbird.

This description seems 2.0.22's, but USN-817-1 points 2.0.23's.
(Thunderbird 2.0.22 is USN-782-1)

so our fix are CVE-2009-2408/MFSA2009-42.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

maybe, valid details are below.: (from mitre.org)
| Thunderbird did not properly handle a NULL character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers
| to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate
| Certification Authority.

Please check.

Jamie Strandboge (jdstrand) wrote :

Thunderbird uses the system NSS library and is not affected by the NUL character vulnerability (it was fixed in USN-810-1). Mozilla.org also fixed rendering crashers in 2.0.0.23 without issuing MFSA for them, so I wrote a general advisory for them.

Fumihito YOSHIDA (hito) wrote :

Ah, roger. I confirmed from 2.0.0.22/2.0.0.23 source diff. Thanks.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers