MozillaThunderbird MozillaThunderbird: Security update to version 2.0.0.23 MozillaThunderbird: Security update to version 2.0.0.23 Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. security MozillaThunderbird i586 9997cb0830aabd3834265c918c17c8f28ca31600 MozillaThunderbird ppc 95d7fb6a0122cd104cc89dabd7552121884376cb MozillaThunderbird x86_64 6710b56c675fb942d5bcbb326f014851f7ec1f47 MozillaThunderbird-devel i586 ba129d114308e9553d21494c5e19f7032eb4ca33 MozillaThunderbird-devel ppc c3406c88a0344bd531242e4a0bc338e07b951da5 MozillaThunderbird-devel x86_64 8dabae5731b785f27b6451a4342f37f07cb32d75 MozillaThunderbird-translations i586 f5097169b4270f6230e9dea7db7a1bc4487c3ef8 MozillaThunderbird-translations ppc cac9df7ddf43ba34403bc7ff7fbf2e7a230e6da1 MozillaThunderbird-translations x86_64 c3cb6a5d321e0122058248679a3226974e5efba6