On 03/13/2013 04:51 AM, Dr Andrew C Aitchison wrote: > On Tue, 12 Mar 2013, Pat Riehecky wrote: > >> Synopsis: Important: thunderbird security update >> Issue Date: 2013-03-11 >> CVE Numbers: CVE-2013-0787 >> -- >> >> A flaw was found in the processing of malformed content. Malicious content >> could cause Thunderbird to crash or execute arbitrary code with the >> privileges of the user running Thunderbird. (CVE-2013-0787) >> >> Note: This issue cannot be exploited by a specially-crafted HTML mail >> message as JavaScript is disabled by default for mail messages. It could >> be exploited another way in Thunderbird, for example, when viewing the >> full remote content of an RSS feed. >> >> After installing the update, Thunderbird must be restarted for the changes >> to take effect. >> -- >> >> SL5 >> x86_64 >> thunderbird-17.0.3-2.el5_9.x86_64.rpm > > # rpmquery -ip --changelog thunderbird-17.0.3-2.el5_9.x86_64.rpm > Name : thunderbird Relocations: (not relocatable) > Version : 17.0.3 Vendor: Scientific Linux > Release : 2.el5_9 Build Date: Tue 12 Mar 2013 > 00:10:38 > GMT > Install Date: (not installed) Build Host: norob.fnal.gov > Group : Applications/Internet Source RPM: > thunderbird-17.0.3-2.el5 > _9.src.rpm > Size : 73621016 License: MPLv1.1 or GPLv2+ or > LGP > Lv2+ > URL : http://www.mozilla.org/projects/thunderbird/ > Summary : Mozilla Thunderbird mail/newsgroup client > Description : > Mozilla Thunderbird is a standalone mail and newsgroup client. > * Thu Mar 07 2013 Martin Stransky <[log in to unmask]> - 17.0.3-2 > - Added fix for #848644 > > * Sat Feb 16 2013 Jan Horak <[log in to unmask]> - 17.0.3-1 > - Update to 17.0.3 ESR > > Can you confirm that this does have the fix for CVE-2013-0787 > (848644 was marked NOTABUG so this probably is just a typo in the > changelog, but it would be good to be sure) ? > >> thunderbird-debuginfo-17.0.3-2.el5_9.x86_64.rpm >> i386 >> thunderbird-17.0.3-2.el5_9.i386.rpm >> thunderbird-debuginfo-17.0.3-2.el5_9.i386.rpm >> SL6 >> x86_64 >> thunderbird-17.0.3-2.el6_4.x86_64.rpm >> thunderbird-debuginfo-17.0.3-2.el6_4.x86_64.rpm >> i386 >> thunderbird-17.0.3-2.el6_4.i686.rpm >> thunderbird-debuginfo-17.0.3-2.el6_4.i686.rpm >> >> - Scientific Linux Development Team > > Thanks, > Hello, The listed packages were built with the attached patch. I believe that the CVE is fixed by this. Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/