Firefox - Unexpected response from server

NoOp glgxg at mfire.com
Wed Mar 7 18:03:49 UTC 2007


On 03/07/2007 12:26 AM, Albert Wagner wrote:
> The fix to Thunderbird, sent out this morning: Wed Mar 7, 2007, appears 
> to resolve this problem.  At least for me;  YMMV.  Thanks to the 
> developers responsible.
> 

It does indeed for me on Dapper. BTW: it appears that the problem wasn't
just with Ubuntu, one of the folks over on the Thunderbird/Firefox
support groups replied to my post with the following:

<http://groups.google.com/group/mozilla.support.firefox/msg/8216149e8b4c893e>

That leads over to:

<http://www.linuxquestions.org/questions/showthread.php?p=2426270#post2426270>

And September 2006 problems on FC5 as well w/an eventual fix by
upgrading nss... which is what was fixed in the Thunderbird release this
morning:

===========================================================
Ubuntu Security Notice USN-431-1             March 07, 2007
mozilla-thunderbird vulnerabilities
CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  mozilla-thunderbird                      1.5.0.10-0ubuntu0.5.10

Ubuntu 6.06 LTS:
  mozilla-thunderbird                      1.5.0.10-0ubuntu0.6.06

Ubuntu 6.10:
  mozilla-thunderbird                      1.5.0.10-0ubuntu0.6.10

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Details follow:

The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges.  (CVE-2007-0008)

The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
certificate. A remote attacker could exploit this to execute arbitrary
code in a server application that uses the NSS library.  (CVE-2007-0009)

Various flaws have been reported that could allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening a
malicious web page.  (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777)

[snip]





More information about the ubuntu-users mailing list