From chris.coulson at canonical.com Thu May 1 00:56:05 2014 From: chris.coulson at canonical.com (Chris Coulson) Date: Wed, 30 Apr 2014 23:56:05 +0100 Subject: [Trisquel-security] [USN-2189-1] Thunderbird vulnerabilities Message-ID: <53617F85.7050302@canonical.com> ========================================================================== Ubuntu Security Notice USN-2189-1 April 30, 2014 thunderbird vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1518) Abhishek Arya discovered an out of bounds read when decoding JPG images. An attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2014-1523) Abhishek Arya discovered a buffer overflow when a script uses a non-XBL object as an XBL object. If a user had enabled scripting, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1524) Mariusz Mlynski discovered that sites with notification permissions can run script in a privileged context in some circumstances. If a user had enabled scripting, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1529) It was discovered that browser history navigations could be used to load a site with the addressbar displaying the wrong address. If a user had enabled scripting, an attacker could potentially exploit this to conduct cross-site scripting or phishing attacks. (CVE-2014-1530) A use-after-free was discovered when resizing images in some circumstances. If a user had enabled scripting, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1531) Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during host resolution in some circumstances. An attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1532) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: thunderbird 1:24.5.0+build1-0ubuntu0.14.04.1 Ubuntu 13.10: thunderbird 1:24.5.0+build1-0ubuntu0.13.10.1 Ubuntu 12.10: thunderbird 1:24.5.0+build1-0ubuntu0.12.10.1 Ubuntu 12.04 LTS: thunderbird 1:24.5.0+build1-0ubuntu0.12.04.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2189-1 CVE-2014-1518, CVE-2014-1523, CVE-2014-1524, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531, CVE-2014-1532, https://launchpad.net/bugs/1313886 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.13.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 538 bytes Desc: OpenPGP digital signature URL: -------------- next part -------------- -- ubuntu-security-announce mailing list ubuntu-security-announce at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce From adconrad at ubuntu.com Thu May 1 01:51:45 2014 From: adconrad at ubuntu.com (Adam Conrad) Date: Wed, 30 Apr 2014 17:51:45 -0600 Subject: [Trisquel-security] Ubuntu 12.10 (Quantal Quetzal) reaches End of Life on May 16 2014 Message-ID: <20140430235145.GU28005@0c3.net> Ubuntu announced its 12.10 (Quantal Quetzal) release more than 18 months ago, on October 18, 2012. Since changes to the Ubuntu support cycle mean that Ubuntu 13.04 has reached end of life before Ubuntu 12.10, the support cycle for Ubuntu 12.10 has been extended slightly to overlap with the release of Ubuntu 14.04 LTS. This allowing users to move directly from Ubuntu 12.10 to Ubuntu 14.04 LTS (via Ubuntu 13.10). This period of overlap is now coming to a close, and we will be retiring Ubuntu 12.10 on Friday, May 16, 2014. At that time, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 12.10. The supported upgrade path from Ubuntu 12.10 is via Ubuntu 13.10, though we highly recommend that once you've upgraded to 13.10, you continue to upgrade through to 14.04, as 13.10's support will end in July. Instructions and caveats for the upgrade may be found at: https://help.ubuntu.com/community/SaucyUpgrades https://help.ubuntu.com/community/TrustyUpgrades Ubuntu 13.10 and 14.04 continue to be actively supported with security updates and select high-impact bug fixes. Announcements of security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce Since its launch in October 2004 Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customize or alter their software in order to meet their needs. On behalf of the Ubuntu Release Team, Adam Conrad -- ubuntu-security-announce mailing list ubuntu-security-announce at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce