Subject: | |
From: | |
Reply To: | |
Date: | Wed, 13 Mar 2013 08:13:33 -0500 |
Content-Type: | multipart/mixed |
Parts/Attachments: |
|
|
On 03/13/2013 04:51 AM, Dr Andrew C Aitchison wrote:
> On Tue, 12 Mar 2013, Pat Riehecky wrote:
>
>> Synopsis: Important: thunderbird security update
>> Issue Date: 2013-03-11
>> CVE Numbers: CVE-2013-0787
>> --
>>
>> A flaw was found in the processing of malformed content. Malicious content
>> could cause Thunderbird to crash or execute arbitrary code with the
>> privileges of the user running Thunderbird. (CVE-2013-0787)
>>
>> Note: This issue cannot be exploited by a specially-crafted HTML mail
>> message as JavaScript is disabled by default for mail messages. It could
>> be exploited another way in Thunderbird, for example, when viewing the
>> full remote content of an RSS feed.
>>
>> After installing the update, Thunderbird must be restarted for the changes
>> to take effect.
>> --
>>
>> SL5
>> x86_64
>> thunderbird-17.0.3-2.el5_9.x86_64.rpm
>
> # rpmquery -ip --changelog thunderbird-17.0.3-2.el5_9.x86_64.rpm
> Name : thunderbird Relocations: (not relocatable)
> Version : 17.0.3 Vendor: Scientific Linux
> Release : 2.el5_9 Build Date: Tue 12 Mar 2013
> 00:10:38
> GMT
> Install Date: (not installed) Build Host: norob.fnal.gov
> Group : Applications/Internet Source RPM:
> thunderbird-17.0.3-2.el5
> _9.src.rpm
> Size : 73621016 License: MPLv1.1 or GPLv2+ or
> LGP
> Lv2+
> URL : http://www.mozilla.org/projects/thunderbird/
> Summary : Mozilla Thunderbird mail/newsgroup client
> Description :
> Mozilla Thunderbird is a standalone mail and newsgroup client.
> * Thu Mar 07 2013 Martin Stransky <[log in to unmask]> - 17.0.3-2
> - Added fix for #848644
>
> * Sat Feb 16 2013 Jan Horak <[log in to unmask]> - 17.0.3-1
> - Update to 17.0.3 ESR
>
> Can you confirm that this does have the fix for CVE-2013-0787
> (848644 was marked NOTABUG so this probably is just a typo in the
> changelog, but it would be good to be sure) ?
>
>> thunderbird-debuginfo-17.0.3-2.el5_9.x86_64.rpm
>> i386
>> thunderbird-17.0.3-2.el5_9.i386.rpm
>> thunderbird-debuginfo-17.0.3-2.el5_9.i386.rpm
>> SL6
>> x86_64
>> thunderbird-17.0.3-2.el6_4.x86_64.rpm
>> thunderbird-debuginfo-17.0.3-2.el6_4.x86_64.rpm
>> i386
>> thunderbird-17.0.3-2.el6_4.i686.rpm
>> thunderbird-debuginfo-17.0.3-2.el6_4.i686.rpm
>>
>> - Scientific Linux Development Team
>
> Thanks,
>
Hello,
The listed packages were built with the attached patch. I believe that the
CVE is fixed by this.
Pat
--
Pat Riehecky
Scientific Linux developer
http://www.scientificlinux.org/
|
|
|