Bug 9142 - Thunderbird 17.0.3
: Thunderbird 17.0.3
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/539198/
: MGA2-64-OK MGA2-32-OK
: validated_update
: 9141
: 9151
  Show dependency treegraph
 
Reported: 2013-02-21 01:08 CET by David Walser
Modified: 2013-02-21 22:26 CET (History)
4 users (show)

See Also:
Source RPM: thunderbird-10.0.12-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-02-21 01:08:15 CET
RedHat has issued an advisory on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0272.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-02-21 02:28:26 CET
Hopefully this is also ready for QA.

Funda, I hope you propedit'd your last svn revision log entry for thunderbird-l10n and changed SILNET to SILENT :o)

This hasn't been pushed in Cauldron yet, but it has been requested and I just pinged the request since this is now a security update (hopefully Mozilla won't be so slow getting out the advisories in the future...).

Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations
in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent modifications to a prototype, which allows remote attackers to
obtain sensitive information from chrome objects or possibly execute arbitrary
JavaScript code with chrome privileges via a crafted web site (CVE-2013-0773).

Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent JavaScript workers from reading the browser-profile directory
name, which has unspecified impact and remote attack vectors (CVE-2013-0774).

Several flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox (CVE-2013-0775, CVE-2013-0780, CVE-2013-0782,
CVE-2013-0783).

It was found that, after canceling a proxy server's authentication
prompt, the address bar continued to show the requested site's address. An
attacker could use this flaw to conduct phishing attacks by tricking a
user into believing they are viewing a trusted site (CVE-2013-0776).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
https://rhn.redhat.com/errata/RHSA-2013-0272.html
========================

Source RPMs:
thunderbird-17.0.3-1.mga2.src.rpm
thunderbird-l10n-17.0.3-1.1.mga2.src.rpm
Comment 2 Manuel Hiebel 2013-02-21 02:35:18 CET
Upgrade was fine here beside two extensions which were not more working (lightning and a google one), but nobody (mozilla or mageia) can do something for that, and it works after 30 secondes of user time.

So mga64 ok here.
Comment 3 Dave Hodgins 2013-02-21 05:25:39 CET
Testing complete on Mageia 2 i586, including enigmail, nntp, and email.

Could someone from the sysadmin team push the srpms
thunderbird-17.0.3-1.mga2.src.rpm
thunderbird-l10n-17.0.3-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

See comment 1 for the advisory and references.
Comment 4 Thomas Backlund 2013-02-21 22:26:38 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0064

Note You need to log in before you can comment on or make changes to this bug.