This announcement accidentally excluded the following SL5 packages: SL5: i386: thunderbird-31.3.0-1.el5_11.i386.rpm thunderbird-debuginfo-31.3.0-1.el5_11.i386.rpm x86_64: thunderbird-31.3.0-1.el5_11.x86_64.rpm thunderbird-debuginfo-31.3.0-1.el5_11.x86_64.rpm On 12/03/2014 01:39 PM, Pat Riehecky wrote: > Synopsis: Important: thunderbird security update > Advisory ID: SLSA-2014:1924-1 > Issue Date: 2014-12-02 > CVE Numbers: CVE-2014-1587 > CVE-2014-1590 > CVE-2014-1592 > CVE-2014-1593 > CVE-2014-1594 > -- > > Several flaws were found in the processing of malformed web content. A web > page containing malicious content could cause Thunderbird to crash or, > potentially, execute arbitrary code with the privileges of the user > running Thunderbird. (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, > CVE-2014-1593) > > A flaw was found in the Alarm API, which could allow applications to > schedule actions to be run in the future. A malicious web application > could use this flaw to bypass the same-origin policy. (CVE-2014-1594) > > Note: All of the above issues cannot be exploited by a specially crafted > HTML mail message as JavaScript is disabled by default for mail messages. > They could be exploited another way in Thunderbird, for example, when > viewing the full remote content of an RSS feed. > > This update disables SSL 3.0 support by default in Thunderbird. Details on > how to re-enable SSL 3.0 support are available at: > > After installing the update, Thunderbird must be restarted for the changes > to take effect. > -- > > SL6 > x86_64 > thunderbird-31.3.0-1.el6_6.x86_64.rpm > thunderbird-debuginfo-31.3.0-1.el6_6.x86_64.rpm > i386 > thunderbird-31.3.0-1.el6_6.i686.rpm > thunderbird-debuginfo-31.3.0-1.el6_6.i686.rpm > > - Scientific Linux Development Team -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/