Synopsis:	Moderate: thunderbird security update
Issue date:	2010-11-17
CVE Names:	CVE-2010-3175 CVE-2010-3176 CVE-2010-3178
                   CVE-2010-3179 CVE-2010-3180 CVE-2010-3182
                   CVE-2010-3183 CVE-2010-3765

A race condition flaw was found in the way Thunderbird handled Document
Object Model (DOM) element properties. An HTML mail message containing
malicious content could cause Thunderbird to crash or, potentially, 
execute arbitrary code with the privileges of the user running 
Thunderbird. (CVE-2010-3765)

Several flaws were found in the processing of malformed HTML mail 
content. An HTML mail message containing malicious content could cause 
Thunderbird to crash or, potentially, execute arbitrary code with the 
privileges of the user running Thunderbird. (CVE-2010-3175, 
CVE-2010-3176, CVE-2010-3179, CVE-2010-3180, CVE-2010-3183)

A same-origin policy bypass flaw was found in Thunderbird. Remote HTML
content could steal private data from different remote HTML content
Thunderbird had loaded. (CVE-2010-3178)

Note: JavaScript support is disabled by default in Thunderbird. The 
above issues are not exploitable unless JavaScript is enabled.

A flaw was found in the script that launches Thunderbird. The
LD_LIBRARY_PATH variable was appending a "." character, which could 
allow a local attacker to execute arbitrary code with the privileges of 
a different user running Thunderbird, if that user ran Thunderbird from 
within an attacker-controlled directory. (CVE-2010-3182)

All running instances of Thunderbird must be restarted for the update to 
take effect.

SL 6.x

      SRPMS:
thunderbird-3.1.6-1.el6_0.src.rpm
      i386:
thunderbird-3.1.6-1.el6_0.i686.rpm
      x86_64:
thunderbird-3.1.6-1.el6_0.x86_64.rpm

-Connie Sieh
-Troy Dawson