Arch Linux Security Advisory ASA-201602-16 ========================================== Severity: Critical Date : 2016-02-21 CVE-ID : CVE-2015-7575 CVE-2016-1523 CVE-2016-1930 CVE-2016-1931 CVE-2016-1935 Package : thunderbird Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package thunderbird before version 38.6.0-1 is vulnerable to multiple issues. Resolution ========== Upgrade to 38.6.0-1. # pacman -Syu "thunderbird>=38.6.0-1" The problem has been fixed upstream in version 38.6.0. Workaround ========== None. Description =========== - CVE-2015-7575 (man-in-the-middle): Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in signatures since 2011. This issues exposes NSS based clients such as Firefox to theoretical collision-based forgery attacks. This issue was fixed in NSS version 3.20.2. - CVE-2016-1523 (remote code execution): Security researcher Holger Fuhrmannek reported that a malicious Graphite "smart font" could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXT_ITEM instructions. This could result in arbitrary code execution. In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. - CVE-2016-1930 (remote code execution): Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, and Randell Jesup reported memory safety problems and crashes. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. - CVE-2016-1931 (remote code execution): Bob Clary, Carsten Book, Christian Holler, Nicolas Pierron, Eric Rescorla, Tyson Smith, Gabor Krizsanits, and Randell Jesup reported memory safety problems and crashes. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. - CVE-2016-1935 (remote code execution): Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow write when rendering some WebGL content. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product, but is potentially a risk in browser or browser-like contexts. Impact ====== A remote attacker might be able to access sensitive information by performing a man-in-the-middle attack, or execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#th... https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ https://access.redhat.com/security/cve/CVE-2015-7575 https://access.redhat.com/security/cve/CVE-2016-1523 https://access.redhat.com/security/cve/CVE-2016-1930 https://access.redhat.com/security/cve/CVE-2016-1931 https://access.redhat.com/security/cve/CVE-2016-1935