From MFSA 2008-46:
Georgi Guninski reported a buffer overflow in the handling of cancelled
newsgroup messages. The error was caused by too small a heap buffer being
allocated to store message header information. This buffer could be overrun
by an attacker using a specially crafted message which could crash the mail
reader and potentially be used to run arbitrary code on the victim's
thunderbird-18.104.22.168-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-22.214.171.124-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This vulnerability was resolved in Red Hat Enterprise Linux 4, 5, and Optional Productivity Applications version 5 via RHSA-2008:0908: