LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

March 2013

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL March 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Important: thunderbird on SL5.x, SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Wed, 13 Mar 2013 08:13:33 -0500
Content-Type:	multipart/mixed
Parts/Attachments:	text/plain (2569 bytes) , mozilla-848644.patch (861 bytes)

On 03/13/2013 04:51 AM, Dr Andrew C Aitchison wrote:
> On Tue, 12 Mar 2013, Pat Riehecky wrote:
>
>> Synopsis:          Important: thunderbird security update
>> Issue Date:        2013-03-11
>> CVE Numbers:       CVE-2013-0787
>> -- 
>>
>> A flaw was found in the processing of malformed content. Malicious content
>> could cause Thunderbird to crash or execute arbitrary code with the
>> privileges of the user running Thunderbird. (CVE-2013-0787)
>>
>> Note: This issue cannot be exploited by a specially-crafted HTML mail
>> message as JavaScript is disabled by default for mail messages. It could
>> be exploited another way in Thunderbird, for example, when viewing the
>> full remote content of an RSS feed.
>>
>> After installing the update, Thunderbird must be restarted for the changes
>> to take effect.
>> -- 
>>
>> SL5
>>  x86_64
>>    thunderbird-17.0.3-2.el5_9.x86_64.rpm
>
> # rpmquery -ip --changelog thunderbird-17.0.3-2.el5_9.x86_64.rpm
> Name        : thunderbird                  Relocations: (not relocatable)
> Version     : 17.0.3                            Vendor: Scientific Linux
> Release     : 2.el5_9                       Build Date: Tue 12 Mar 2013 
> 00:10:38
>  GMT
> Install Date: (not installed)               Build Host: norob.fnal.gov
> Group       : Applications/Internet         Source RPM: 
> thunderbird-17.0.3-2.el5
> _9.src.rpm
> Size        : 73621016                         License: MPLv1.1 or GPLv2+ or 
> LGP
> Lv2+
> URL         : http://www.mozilla.org/projects/thunderbird/
> Summary     : Mozilla Thunderbird mail/newsgroup client
> Description :
> Mozilla Thunderbird is a standalone mail and newsgroup client.
> * Thu Mar 07 2013 Martin Stransky <[log in to unmask]> - 17.0.3-2
> - Added fix for #848644
>
> * Sat Feb 16 2013 Jan Horak <[log in to unmask]> - 17.0.3-1
> - Update to 17.0.3 ESR
>
> Can you confirm that this does have the fix for CVE-2013-0787
> (848644 was marked NOTABUG so this probably is just a typo in the
> changelog, but it would be good to be sure) ?
>
>> thunderbird-debuginfo-17.0.3-2.el5_9.x86_64.rpm
>>  i386
>>    thunderbird-17.0.3-2.el5_9.i386.rpm
>>    thunderbird-debuginfo-17.0.3-2.el5_9.i386.rpm
>> SL6
>>  x86_64
>>    thunderbird-17.0.3-2.el6_4.x86_64.rpm
>>    thunderbird-debuginfo-17.0.3-2.el6_4.x86_64.rpm
>>  i386
>>    thunderbird-17.0.3-2.el6_4.i686.rpm
>>    thunderbird-debuginfo-17.0.3-2.el6_4.i686.rpm
>>
>> - Scientific Linux Development Team
>
> Thanks,
>

Hello,

The listed packages were built with the attached patch.  I believe that the 
CVE is fixed by this.

Pat

-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV