Arch Linux Security Advisory ASA-201501-7 ========================================= Severity: Critical Date : 2015-01-14 CVE-ID : CVE-2014-8634 CVE-2014-8635 CVE-2014-8638 CVE-2014-8639 Package : thunderbird Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package thunderbird before version 31.4.0-1 is vulnerable to multiple issues, that Mozilla believes not to be exploitable through email. Upgrading is still advised. Resolution ========== Upgrade to 31.4.0-1. # pacman -Syu "thunderbird>=31.4.0-1" The problem has been fixed upstream in version 31.4.0. Workaround ========== None. Description =========== - CVE-2014-8634 (arbitrary remote code execution) Christian Holler and Patrick McManus reported memory safety problems and crashes that affect Firefox ESR 31.3 and Firefox 34. - CVE-2014-8635 (arbitrary remote code execution) Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems and crashes that affect Firefox 34. - CVE-2014-8638 (XSRF) Security researcher Muneaki Nishimura reported that navigator.sendBeacon() does not follow the cross-origin resource sharing (CORS) specification. This results in the request from sendBeacon() lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request. This allows for a potential Cross-site request forgery (XSRF) attack from malicious websites. - CVE-2014-8639 (cookie injection) Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read. Impact ====== Mozilla believes that these issues cannot be exploited by e-mail, either because scripting is disabled or because no HTTP request should be initiated by thunderbird. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8634 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8635 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8638 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8639 https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/