On Tue, 12 Mar 2013, Pat Riehecky wrote: > Synopsis: Important: thunderbird security update > Issue Date: 2013-03-11 > CVE Numbers: CVE-2013-0787 > -- > > A flaw was found in the processing of malformed content. Malicious content > could cause Thunderbird to crash or execute arbitrary code with the > privileges of the user running Thunderbird. (CVE-2013-0787) > > Note: This issue cannot be exploited by a specially-crafted HTML mail > message as JavaScript is disabled by default for mail messages. It could > be exploited another way in Thunderbird, for example, when viewing the > full remote content of an RSS feed. > > After installing the update, Thunderbird must be restarted for the changes > to take effect. > -- > > SL5 > x86_64 > thunderbird-17.0.3-2.el5_9.x86_64.rpm # rpmquery -ip --changelog thunderbird-17.0.3-2.el5_9.x86_64.rpm Name : thunderbird Relocations: (not relocatable) Version : 17.0.3 Vendor: Scientific Linux Release : 2.el5_9 Build Date: Tue 12 Mar 2013 00:10:38 GMT Install Date: (not installed) Build Host: norob.fnal.gov Group : Applications/Internet Source RPM: thunderbird-17.0.3-2.el5 _9.src.rpm Size : 73621016 License: MPLv1.1 or GPLv2+ or LGP Lv2+ URL : http://www.mozilla.org/projects/thunderbird/ Summary : Mozilla Thunderbird mail/newsgroup client Description : Mozilla Thunderbird is a standalone mail and newsgroup client. * Thu Mar 07 2013 Martin Stransky <[log in to unmask]> - 17.0.3-2 - Added fix for #848644 * Sat Feb 16 2013 Jan Horak <[log in to unmask]> - 17.0.3-1 - Update to 17.0.3 ESR Can you confirm that this does have the fix for CVE-2013-0787 (848644 was marked NOTABUG so this probably is just a typo in the changelog, but it would be good to be sure) ? > thunderbird-debuginfo-17.0.3-2.el5_9.x86_64.rpm > i386 > thunderbird-17.0.3-2.el5_9.i386.rpm > thunderbird-debuginfo-17.0.3-2.el5_9.i386.rpm > SL6 > x86_64 > thunderbird-17.0.3-2.el6_4.x86_64.rpm > thunderbird-debuginfo-17.0.3-2.el6_4.x86_64.rpm > i386 > thunderbird-17.0.3-2.el6_4.i686.rpm > thunderbird-debuginfo-17.0.3-2.el6_4.i686.rpm > > - Scientific Linux Development Team Thanks, -- Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge [log in to unmask] http://www.dpmms.cam.ac.uk/~werdna