A new Thunderbird version, 2.0.0.12, has been released. This version fixes four (4) known vulnerabilities: 1 critical, 2 high and 1 moderate.

MFSA 2008-12 Heap buffer overflow in external MIME bodies
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)

We were told by the security people at Mozilla a couple of weeks ago, when Firefox 2.0.0.12 was released, that this Thunderbird version contains security fixes that will never be fixed in a 1.5 version. So, if you're still running Thunderbird 1.X, it is time to update!

Thanks Jason for the heads up.

Updated 2008-03-02 -  Mozilla recently updated their webpage concerning MFS2008-07.  Thunderbird 2.0.0.12  was incorrectly noted as being vulnerable but lacks the <canvas>  functionality  necessary to read sensitive data from memory.   As such only 4 known vulnerabilities were fixed in this version.  For more information on the flaw and the updated vendor advisory, please see the following:

MFSA 2008-07 Possible information disclosure in BMP decoder

--
Raul Siles
www.raulsiles.com