A flaw in the custom DNS resolver of nginx could lead to a heap based buffer overflow which could potentially allow attackers to execute arbitrary code or to cause a Denial of Service. Updated packages are available from download.opensuse.org.

The X server had two security issues and one bug that is fixed by this update. It is possible for a local attacker to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. It is possible for a non-root local user to set the read permission for all users on any file or directory. Updated packages are available from download.opensuse.org.

Mozilla Firefox was updated to 3.6.26 fixing bugs and security issues. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26.

For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted.

Security researcher regenrecht reported that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. Security researcher regenrecht reported the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution.

Updated packages are available from download.opensuse.org.

The openSUSE 11.3 kernel was updated to fix various bugs and security issues. If root does read() on a specific socket, it’s possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used. A flaw allowed the tc_fill_qdisc() function in the packet scheduler API implementation to be called on built-in qdisc structures. A local, unprivileged user could have used this flaw to trigger a NULL pointer dereference, resulting in a denial of service. Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

The inet_diag_bc_audit function did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message. The Generic Receive Offload (GRO) implementation allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to a memory leak or memory corruption. A buffer overflow in the clusterip_proc_write function might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating ‘\0’ character.

An integer underflow in the dccp_parse_options function allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read. The skb_gro_header_slow function reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory. A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel. Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

Updated packages are available from download.opensuse.org.

Mozilla XULrunner was updated to 1.9.2.26 security update, fixing security issues and bugs. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26.

For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. Security researcher regenrecht reported that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution.

Security researcher regenrecht reported the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution.

Updated packages are available from download.opensuse.org.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. A flaw was found in the way the Linux kernel handled robust list pointers of user-space held futexes across exec() calls. A local, unprivileged user could use this flaw to cause a denial of service or, eventually, escalate their privileges.

A flaw was found in the way splitting two extents in ext4_ext_convert_to_initialized() worked. A local, unprivileged user with the ability to mount and unmount ext4 file systems could use this flaw to cause a denial of service. A flaw was found in the way the journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. A divide-by-zero flaw was found in the igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service.

Updated packages are available from ftp.redhat.com.

It was discovered that a malicious CVS server could cause a heap overflow in the CVS client, potentially allowing the server to execute arbitrary code on the client. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in Icedove, Debian’s variant of the Mozilla Thunderbird code base. Icedove does not not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. Memory corruption bugs could cause Icedove to crash or possibly execute arbitrary code. Icedove does not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.

Icedove allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document

Updated packages are available from security.debian.org.

MySQL is a multi-user, multi-threaded SQL database server. This update fixes several vulnerabilities in the MySQL database server, mostly related to remote authentication. Updated packages are available from ftp.redhat.com.

The libxml2 library is a development toolbox providing the implementation of various XML standards. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Updated packages are available from ftp.redhat.com.

SquirrelMail is a standards-based webmail package written in PHP. A cross-site scripting (XSS) flaw was found in the way SquirrelMail performed the sanitization of HTML style tag content. A remote attacker could use this flaw to send a specially-crafted Multipurpose Internet Mail Extensions (MIME) message that, when opened by a victim, would lead to arbitrary web script execution in the context of their SquirrelMail session. Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. A remote attacker could possibly use these flaws to execute arbitrary web script in the context of a victim’s SquirrelMail session. An input sanitization flaw was found in the way SquirrelMail handled the content of various HTML input fields. A remote attacker could use this flaw to alter user preference values via a newline character contained in the input for these fields.

It was found that the SquirrelMail Empty Trash and Index Order pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into SquirrelMail, into visiting a specially-crafted URL, the attacker could empty the victim’s trash folder or alter the ordering of the columns on the message index page. SquirrelMail was allowed to be loaded into an HTML sub-frame, allowing a remote attacker to perform a clickjacking attack against logged in users and possibly gain access to sensitive user data. With this update, the SquirrelMail main frame can only be loaded into the top most browser frame. A flaw was found in the way SquirrelMail handled failed log in attempts. A user preference file was created when attempting to log in with a password containing an 8-bit character, even if the username was not valid. A remote attacker could use this flaw to eventually consume all hard disk space on the target SquirrelMail server.

A flaw was found in the SquirrelMail Mail Fetch plug-in. If an administrator enabled this plug-in, a SquirrelMail user could use this flaw to port scan the local network the server was on.

Updated packages are available from ftp.redhat.com.

Jesse Ruderman and Bob Clary discovered memory safety issues affecting the Gecko Browser engine. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Xulrunner. It was discovered that the Gecko Browser engine did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Xulrunner. It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Xulrunner.

Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Xulrunner can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Xulrunner. Gregory Fleischer discovered that requests using IPv6 hostname syntax through certain proxies might generate errors. An attacker might be able to use this to read sensitive data from the error messages.

Updated packages are available from security.ubuntu.com.

Jesse Ruderman and Bob Clary discovered memory safety issues affecting Thunderbird. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. It was discovered that Thunderbird did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird.

Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Thunderbird can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. Gregory Fleischer discovered that requests using IPv6 hostname syntax through certain proxies might generate errors. An attacker might be able to use this to read sensitive data from the error messages.

Updated packages are available from security.ubuntu.com.

This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces). In addition, the HTTP Digest Access Authentication implementation does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value. The HTTP Digest Access Authentication implementation does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements.

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string.

Updated packages are available from download.opensuse.org.

The SUSE Linux Enterprise 11 SP1 kernel was updated to 2.6.32.54, fixing lots of bugs and security issues. A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image.

A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed).

When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed.

Updated packages are available from download.opensuse.org.

The SUSE Linux Enterprise 11 SP1 kernel has been updated to 2.6.32.54, fixing numerous bugs and security issues. A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. Fixed a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel.

Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. An overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted.

Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. When using X.25 communication a malicious sender could make the machine leak memory, causing crashes.

A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed.

Updated packages are available from download.opensuse.org.

Several vulnerabilities have been found in the Apache HTTPD Server. An integer overflow in ap_pregsub() could allow local attackers to execute arbitrary code at elevated privileges via crafted .htaccess files. The Apache HTTP Server did not properly validate the request URI for proxied requests. In certain reverse proxy configurations using the ProxyPassMatch directive or using the RewriteRule directive with the P flag, a remote attacker could make the proxy connect to an arbitrary server. The could allow the attacker to access internal servers that are not otherwise accessible from the outside.

An apache2 child process could cause the parent process to crash during shutdown. This is a violation of the privilege separation between the apache2 processes and could potentially be used to worsen the impact of other vulnerabilities. The response message for error code 400 (bad request) could be used to expose “httpOnly” cookies. This could allow a remote attacker using cross site scripting to steal authentication cookies.

Updated packages are available from security.debian.org.

Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e network interface card of QEMU, which is used in the xen-qemu-dm-4.0 packages. This vulnerability might enable to malicious guest systems to crash the host system or escalate their privileges. Updated packages are available from security.debian.org.

It was discovered that if a user chose to export their Firefox Sync key the “Firefox Recovery Key.html” file is saved with incorrect permissions, making the file contents potentially readable by other users. Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Tim Abraldes discovered that when encoding certain images types the resulting data was always a fixed size. There is the possibility of sensitive data from uninitialized memory being appended to these images. It was discovered that Firefox did not properly perform XPConnect security checks. An attacker could exploit this to conduct cross-site scripting (XSS) attacks through web pages and Firefox extensions. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. It was discovered that Firefox did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Alex Dvorov discovered that Firefox did not properly handle sub-frames in form submissions. An attacker could exploit this to conduct phishing attacks using HTML5 frames. Security researchers discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Updated packages are available from ftp.redhat.com.

Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures and an interpreter for Portable Document Format (PDF) files. An integer overflow flaw was found in Ghostscript’s TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the “-I” option, or the “-P-” option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code.

Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the “-P-” option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code.

Updated packages are available from ftp.redhat.com.

FreeType is a free, high-quality, portable font engine that can open and manage font files. Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Updated packages are available from ftp.redhat.com.

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code. Updated packages are available from security.debian.org.

Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey. Gregory Fleischer discovered that IPv6 URLs were incorrectly parsed, resulting in potential information disclosure. Jesse Ruderman and Bob Clary discovered memory corruption bugs, which may lead to the execution of arbitrary code. “regenrecht” discovered that missing input sanisiting in the Ogg Vorbis parser may lead to the execution of arbitrary code.

Nicolas Gregoire and Aki Helin discovered that missing input sanisiting in XSLT processing may lead to the execution of arbitrary code.

Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. Gregory Fleischer discovered that IPv6 URLs were incorrectly parsed, resulting in potential information disclosure. Jesse Ruderman and Bob Clary discovered memory corruption bugs, which may lead to the execution of arbitrary code. “regenrecht” discovered that missing input sanisiting in the Ogg Vorbis parser may lead to the execution of arbitrary code.

Nicolas Gregoire and Aki Helin discovered that missing input sanisiting in XSLT processing may lead to the execution of arbitrary code.

Updated packages are available from security.debian.org.

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine. The HTTP Digest Access Authentication implementation performed insufficient countermeasures against replay attacks. In rare setups passwords were written into a logfile. Missing input sanisiting in the HTTP APR or HTTP NIO connectors could lead to denial of service.

AJP requests could be spoofed in some setups. Incorrect request caching could lead to information disclosure. This update also adds countermeasures against a collision denial of service vulnerability in the Java hashtable implementation and addresses denial of service potentials when processing large amounts of requests.

Updated packages are available from security.debian.org.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake.

Updated packages are available from ftp.redhat.com.

It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd or potentially execute arbitrary code as the ‘usbmux’ user. Updated packages are available from security.ubuntu.com.

Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. The same-origin policy in Thunderbird treated http://example.com and http://example.com as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client’s IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets.

Updated packages are available from ftp.redhat.com.

SeaMonkey is an open source web browser, e-mail and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. The same-origin policy in SeaMonkey treated http://example.com and http://example.com as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client’s IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets.

Updated packages are available from ftp.redhat.com.

Mozilla Thunderbird is a standalone mail and newsgroup client. A use-after-free flaw was found in the way Thunderbird removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. Several flaws were found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A flaw was found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). An HTML mail message containing a malicious SVG image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

The same-origin policy in Thunderbird treated http://example.com and http://example.com as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client’s IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets.

Updated packages are available from ftp.redhat.com.