[arch-security] [ASA-201605-21] thunderbird: arbitrary code execution
Remi Gacogne
rgacogne at archlinux.org
Sun May 15 10:59:24 UTC 2016
Arch Linux Security Advisory ASA-201605-21
==========================================
Severity: Critical
Date : 2016-05-15
CVE-ID : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807
Package : thunderbird
Type : arbitrary code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package thunderbird before version 45.1.0-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 45.1.0-1.
# pacman -Syu "thunderbird>=45.1.0-1"
The problem has been fixed upstream in version 45.1.0.
Workaround
==========
None.
Description
===========
- CVE-2016-2804:
Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve
Fink reported memory safety problems and crashes.
- CVE-2016-2805:
Christian Holler reported a memory safety problem.
- CVE-2016-2806:
Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten
Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory
safety problems and crashes.
- CVE-2016-2807:
Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety
problems and crashes.
Impact
======
A remote attacker can execute arbitrary code on the affected host.
References
==========
https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/
https://access.redhat.com/security/cve/CVE-2016-2804
https://access.redhat.com/security/cve/CVE-2016-2805
https://access.redhat.com/security/cve/CVE-2016-2806
https://access.redhat.com/security/cve/CVE-2016-2807
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160515/1d4853a8/attachment.asc>
More information about the arch-security
mailing list