Arch Linux Security Advisory ASA-201605-21 ========================================== Severity: Critical Date : 2016-05-15 CVE-ID : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807 Package : thunderbird Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package thunderbird before version 45.1.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 45.1.0-1. # pacman -Syu "thunderbird>=45.1.0-1" The problem has been fixed upstream in version 45.1.0. Workaround ========== None. Description =========== - CVE-2016-2804: Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes. - CVE-2016-2805: Christian Holler reported a memory safety problem. - CVE-2016-2806: Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes. - CVE-2016-2807: Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ https://access.redhat.com/security/cve/CVE-2016-2804 https://access.redhat.com/security/cve/CVE-2016-2805 https://access.redhat.com/security/cve/CVE-2016-2806 https://access.redhat.com/security/cve/CVE-2016-2807