This announcement accidentally excluded the following SL5 packages:

SL5:
i386:
thunderbird-31.3.0-1.el5_11.i386.rpm
thunderbird-debuginfo-31.3.0-1.el5_11.i386.rpm

x86_64:
thunderbird-31.3.0-1.el5_11.x86_64.rpm
thunderbird-debuginfo-31.3.0-1.el5_11.x86_64.rpm



On 12/03/2014 01:39 PM, Pat Riehecky wrote:
> Synopsis:          Important: thunderbird security update
> Advisory ID:       SLSA-2014:1924-1
> Issue Date:        2014-12-02
> CVE Numbers:       CVE-2014-1587
>                     CVE-2014-1590
>                     CVE-2014-1592
>                     CVE-2014-1593
>                     CVE-2014-1594
> --
>
> Several flaws were found in the processing of malformed web content. A web
> page containing malicious content could cause Thunderbird to crash or,
> potentially, execute arbitrary code with the privileges of the user
> running Thunderbird. (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,
> CVE-2014-1593)
>
> A flaw was found in the Alarm API, which could allow applications to
> schedule actions to be run in the future. A malicious web application
> could use this flaw to bypass the same-origin policy. (CVE-2014-1594)
>
> Note: All of the above issues cannot be exploited by a specially crafted
> HTML mail message as JavaScript is disabled by default for mail messages.
> They could be exploited another way in Thunderbird, for example, when
> viewing the full remote content of an RSS feed.
>
> This update disables SSL 3.0 support by default in Thunderbird. Details on
> how to re-enable SSL 3.0 support are available at:
>
> After installing the update, Thunderbird must be restarted for the changes
> to take effect.
> --
>
> SL6
>    x86_64
>      thunderbird-31.3.0-1.el6_6.x86_64.rpm
>      thunderbird-debuginfo-31.3.0-1.el6_6.x86_64.rpm
>    i386
>      thunderbird-31.3.0-1.el6_6.i686.rpm
>      thunderbird-debuginfo-31.3.0-1.el6_6.i686.rpm
>
> - Scientific Linux Development Team


-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/