Synopsis: Critical: thunderbird security update
Issue Date: 2013-02-19
CVE Numbers: CVE-2013-0783
Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-0775,
CVE-2013-0780, CVE-2013-0782, CVE-2013-0783)
It was found that, after canceling a proxy server’s authentication prompt, the
address bar continued to show the requested site’s address. An attacker could
use this flaw to conduct phishing attacks by tricking a user into believing
they are viewing trusted content. (CVE-2013-0776)
Note: All issues cannot be exploited by a specially-crafted HTML mail message
another way in Thunderbird, for example, when viewing the full remote content
of an RSS feed.
Important: This erratum upgrades Thunderbird to version 17.0.3 ESR. Thunderbird
17 is not completely backwards-compatible with all Mozilla add-ons and
Thunderbird plug-ins that worked with Thunderbird 10.0. Thunderbird 17 checks
compatibility on first-launch, and, depending on the individual configuration
and the installed add-ons and plug-ins, may disable said Add-ons and plug-ins,
or attempt to check for updates and upgrade them. Add-ons and plug-ins may have
to be manually updated.
After installing the update, Thunderbird must be restarted for the changes
to take effect.
– Scientific Linux Development Team