RedHat has issued an advisory on February 19: https://rhn.redhat.com/errata/RHSA-2013-0272.html Reproducible: Steps to Reproduce:
Depends on: (none) => 9141
Source RPM: thunderbird-10.0.12-1.mga2 => thunderbird-10.0.12-1.mga2.src.rpm
Hopefully this is also ready for QA. Funda, I hope you propedit'd your last svn revision log entry for thunderbird-l10n and changed SILNET to SILENT :o) This hasn't been pushed in Cauldron yet, but it has been requested and I just pinged the request since this is now a security update (hopefully Mozilla won't be so slow getting out the advisories in the future...). Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site (CVE-2013-0773). Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors (CVE-2013-0774). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2013-0775, CVE-2013-0780, CVE-2013-0782, CVE-2013-0783). It was found that, after canceling a proxy server's authentication prompt, the address bar continued to show the requested site's address. An attacker could use this flaw to conduct phishing attacks by tricking a user into believing they are viewing a trusted site (CVE-2013-0776). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783 http://www.mozilla.org/security/announce/2013/mfsa2013-21.html http://www.mozilla.org/security/announce/2013/mfsa2013-24.html http://www.mozilla.org/security/announce/2013/mfsa2013-25.html http://www.mozilla.org/security/announce/2013/mfsa2013-26.html http://www.mozilla.org/security/announce/2013/mfsa2013-27.html http://www.mozilla.org/security/announce/2013/mfsa2013-28.html https://rhn.redhat.com/errata/RHSA-2013-0272.html ======================== Source RPMs: thunderbird-17.0.3-1.mga2.src.rpm thunderbird-l10n-17.0.3-1.1.mga2.src.rpm
CC: (none) => fundawangAssignee: bugsquad => qa-bugs
Upgrade was fine here beside two extensions which were not more working (lightning and a google one), but nobody (mozilla or mageia) can do something for that, and it works after 30 secondes of user time. So mga64 ok here.
Testing complete on Mageia 2 i586, including enigmail, nntp, and email. Could someone from the sysadmin team push the srpms thunderbird-17.0.3-1.mga2.src.rpm thunderbird-l10n-17.0.3-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. See comment 1 for the advisory and references.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Blocks: (none) => 9151
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0064
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED