|| ||Pat Riehecky <email@example.com> |
|| ||Security ERRATA Critical: thunderbird on SL5.x, SL6.x i386/x86_64 |
|| ||Wed, 20 Feb 2013 13:16:37 -0600|
|| ||Article, Thread
Synopsis: Critical: thunderbird security update
Issue Date: 2013-02-19
CVE Numbers: CVE-2013-0783
Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-0775,
CVE-2013-0780, CVE-2013-0782, CVE-2013-0783)
It was found that, after canceling a proxy server's authentication
address bar continued to show the requested site's address. An attacker
use this flaw to conduct phishing attacks by tricking a user into believing
they are viewing trusted content. (CVE-2013-0776)
Note: All issues cannot be exploited by a specially-crafted HTML mail
another way in Thunderbird, for example, when viewing the full remote
of an RSS feed.
Important: This erratum upgrades Thunderbird to version 17.0.3 ESR.
17 is not completely backwards-compatible with all Mozilla add-ons and
Thunderbird plug-ins that worked with Thunderbird 10.0. Thunderbird 17
compatibility on first-launch, and, depending on the individual
and the installed add-ons and plug-ins, may disable said Add-ons and
or attempt to check for updates and upgrade them. Add-ons and plug-ins
to be manually updated.
After installing the update, Thunderbird must be restarted for the changes
to take effect.
- Scientific Linux Development Team
to post comments)