Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64
Critical Nessus Plugin ID 69258
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionSeveral flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1701)
A flaw was found in the way Thunderbird generated Certificate Request Message Format (CRMF) requests. An attacker could use this flaw to perform cross-site scripting (XSS) attacks or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1710)
A flaw was found in the way Thunderbird handled the interaction between frames and browser history. An attacker could use this flaw to trick Thunderbird into treating malicious content as if it came from the browser history, allowing for XSS attacks. (CVE-2013-1709)
It was found that web workers could bypass the same-origin policy. An attacker could use this flaw to perform XSS attacks. (CVE-2013-1714)
It was found that, in certain circumstances, Thunderbird incorrectly handled Java applets. If a user launched an untrusted Java applet via Thunderbird, the applet could use this flaw to obtain read-only access to files on the user's local system. (CVE-2013-1717)
After installing the update, Thunderbird must be restarted for the changes to take effect.
SolutionUpdate the affected thunderbird and / or thunderbird-debuginfo packages.