Wednesday, November 21, 2007

Security Update : Thunderbird

After being delayed for some time, finally Slackware security team has released an update for Thunderbird package for 10.2 up to -Current. Here's the latest changelog:
Tue Nov 20 16:49:58 CST 2007
xap/mozilla-thunderbird-2.0.0.9-i686-1.tgz:
Upgraded to thunderbird-2.0.0.9.
This update fixes the following security related issues:
URIs with invalid %-encoding mishandled by Windows (MFSA 2007-36).
Crashes with evidence of memory corruption (MFSA 2007-29).
OK, so the first one obviously does not affect us. :-) The second fix has to do with the same JavaScript handling problem fixed before in Firefox.
JavaScript is not enabled by default in Thunderbird, and the developers (at least in MFSA 2007-36) do not recommend turning it on.
For more information, see:
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
(* Security fix *)