[RHSA-2013:0821] thunderbird security update

Severity Important

Affected Packages 4

CVEs 10

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-0801,
CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678,
CVE-2013-1679, CVE-2013-1680, CVE-2013-1681)

A flaw was found in the way Thunderbird handled Content Level Constructors.
Malicious content could use this flaw to perform cross-site scripting (XSS)
attacks. (CVE-2013-1670)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christoph Diehl, Christian Holler, Jesse Ruderman,
Timothy Nikkel, Jeff Walden, Nils, Ms2ger, Abhishek Arya, and Cody Crews as
the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially-crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 17.0.6 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.

Package	Affected Version
pkg:rpm/redhat/thunderbird?arch=x86_64&distro=redhat-6.4	< 17.0.6-2.el6_4
pkg:rpm/redhat/thunderbird?arch=s390x&distro=redhat-6.4	< 17.0.6-2.el6_4
pkg:rpm/redhat/thunderbird?arch=ppc64&distro=redhat-6.4	< 17.0.6-2.el6_4
pkg:rpm/redhat/thunderbird?arch=i686&distro=redhat-6.4	< 17.0.6-2.el6_4

ID

RHSA-2013:0821

Severity

important

URL

https://access.redhat.com/errata/RHSA-2013:0821

Published

2013-05-14T00:00:00
(11 years ago)

Modified

2013-05-14T00:00:00
(11 years ago)

Rights

Other Advisories

Source	# ID	URL
Bugzilla	962591	https://bugzilla.redhat.com/962591
Bugzilla	962596	https://bugzilla.redhat.com/962596
Bugzilla	962598	https://bugzilla.redhat.com/962598
Bugzilla	962601	https://bugzilla.redhat.com/962601
Bugzilla	962603	https://bugzilla.redhat.com/962603
RHSA	RHSA-2013:0821	https://access.redhat.com/errata/RHSA-2013:0821
CVE	CVE-2013-0801	https://access.redhat.com/security/cve/CVE-2013-0801
CVE	CVE-2013-1670	https://access.redhat.com/security/cve/CVE-2013-1670
CVE	CVE-2013-1674	https://access.redhat.com/security/cve/CVE-2013-1674
CVE	CVE-2013-1675	https://access.redhat.com/security/cve/CVE-2013-1675
CVE	CVE-2013-1676	https://access.redhat.com/security/cve/CVE-2013-1676
CVE	CVE-2013-1677	https://access.redhat.com/security/cve/CVE-2013-1677
CVE	CVE-2013-1678	https://access.redhat.com/security/cve/CVE-2013-1678
CVE	CVE-2013-1679	https://access.redhat.com/security/cve/CVE-2013-1679
CVE	CVE-2013-1680	https://access.redhat.com/security/cve/CVE-2013-1680
CVE	CVE-2013-1681	https://access.redhat.com/security/cve/CVE-2013-1681

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/redhat/thunderbird?arch=x86_64&distro=redhat-6.4	redhat	thunderbird	< 17.0.6-2.el6_4	redhat-6.4	x86_64
Affected	pkg:rpm/redhat/thunderbird?arch=s390x&distro=redhat-6.4	redhat	thunderbird	< 17.0.6-2.el6_4	redhat-6.4	s390x
Affected	pkg:rpm/redhat/thunderbird?arch=ppc64&distro=redhat-6.4	redhat	thunderbird	< 17.0.6-2.el6_4	redhat-6.4	ppc64
Affected	pkg:rpm/redhat/thunderbird?arch=i686&distro=redhat-6.4	redhat	thunderbird	< 17.0.6-2.el6_4	redhat-6.4	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date