[USN-3529-1] Thunderbird vulnerabilities
chris.coulson at canonical.com
Mon Jan 29 22:48:20 UTC 2018
Ubuntu Security Notice USN-3529-1
January 29, 2018
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Several security issues were fixed in Thunderbird.
- thunderbird: Mozilla Open Source mail and newsgroup client
It was discovered that a From address encoded with a null character is
cut off in the message header display. An attacker could potentially
exploit this to spoof the sender address. (CVE-2017-7829)
in some circumstances. If a user were tricked in to opening a specially
crafted RSS feed, an attacker could potentially exploit this in
combination with another vulnerability, in order to cause unspecified
It was discovered that the RSS feed can leak local path names. If a user
were tricked in to opening a specially crafted RSS feed, an attacker
could potentially exploit this to obtain sensitive information.
It was discovered that RSS feeds are vulnerable to new line injection. If
a user were tricked in to opening a specially crafted RSS feed, an
attacker could potentially exploit this to cause unspecified problems.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
execute arbitrary code, or cause other unspecified effects.
(CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5013, CVE-2018-5104,
The problem can be corrected by updating your system to the following
Ubuntu 16.04 LTS:
Ubuntu 14.04 LTS:
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
CVE-2017-7829, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848,
CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-security-announce