Security Advisories for Thunderbird 3.1

Thunderbird 3.1 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Thunderbird 3.1.20

• 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
• 2012-16 Escalation of privilege with Javascript: URL as home page
• 2012-14 SVG issues found with Address Sanitizer
• 2012-13 XSS with Drag and Drop and Javascript: URL

# Fixed in Thunderbird 3.1.19

• 2012-11 libpng integer overflow

# Fixed in Thunderbird 3.1.18

• 2012-08 Crash with malformed embedded XSLT stylesheets
• 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
• 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
• 2012-02 Overly permissive IPv6 literal syntax
• 2012-01 Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26)

# Fixed in Thunderbird 3.1.17

• 2011-59 .jar not treated as executable in Firefox 3.6 on Mac

# Fixed in Thunderbird 3.1.16

• 2011-49 Memory corruption while profiling using Firebug
• 2011-47 Potential XSS against sites using Shift-JIS
• 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

# Fixed in Thunderbird 3.1.15

• 2011-40 Code installation through holding down Enter
• 2011-39 Defense against multiple Location headers due to CRLF Injection
• 2011-38 XSS via plugins and shadowed window.location object
• 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

# Fixed in Thunderbird 3.1.14

• 2011-35 Additional protection against fraudulent DigiNotar certificates

# Fixed in Thunderbird 3.1.13

• 2011-34 Protection against fraudulent DigiNotar certificates

# Fixed in Thunderbird 3.1.12

• 2011-32 Security issues addressed in Thunderbird 3.1.12

# Fixed in Thunderbird 3.1.11

• 2011-24 Cookie isolation error
• 2011-23 Multiple dangling pointer vulnerabilities
• 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
• 2011-21 Memory corruption due to multipart/x-mixed-replace images
• 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
• 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

# Fixed in Thunderbird 3.1.10

• 2011-16 Directory traversal in resource: protocol
• 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)

# Fixed in Thunderbird 3.1.8

• 2011-09 Crash caused by corrupted JPEG image
• 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
• 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

# Fixed in Thunderbird 3.1.7

• 2010-78 Add support for OTS font sanitizer
• 2010-75 Buffer overflow while line breaking after document.write with long string
• 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

# Fixed in Thunderbird 3.1.6

• 2010-73 Heap buffer overflow mixing document.write and DOM insertion

# Fixed in Thunderbird 3.1.5

• 2010-72 Insecure Diffie-Hellman key exchange
• 2010-71 Unsafe library loading vulnerabilities
• 2010-70 SSL wildcard certificate matching IP addresses
• 2010-69 Cross-site information disclosure via modal calls
• 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
• 2010-66 Use-after-free error in nsBarProp
• 2010-65 Buffer overflow and memory corruption using document.write
• 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

# Fixed in Thunderbird 3.1.3

• 2010-63 Information leak via XMLHttpRequest statusText
• 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
• 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
• 2010-59 SJOW creates scope chains ending in outer object
• 2010-58 Crash on Mac using fuzzed font in data: URL
• 2010-57 Crash and remote code execution in normalizeDocument
• 2010-56 Dangling pointer vulnerability in nsTreeContentView
• 2010-55 XUL tree removal crash and remote code execution
• 2010-54 Dangling pointer vulnerability in nsTreeSelection
• 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
• 2010-52 Windows XP DLL loading vulnerability
• 2010-51 Dangling pointer vulnerability using DOM plugin array
• 2010-50 Frameset integer overflow vulnerability
• 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)

# Fixed in Thunderbird 3.1.1

• 2010-47 Cross-origin data leakage from script filename in error messages
• 2010-46 Cross-domain data theft using CSS
• 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
• 2010-43 Same-origin bypass using canvas context
• 2010-42 Cross-origin data disclosure via Web Workers and importScripts
• 2010-41 Remote code execution using malformed PNG image
• 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
• 2010-39 nsCSSValue::Array index integer overflow
• 2010-38 Arbitrary code execution using SJOW and fast native function
• 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)