Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2012:1089-01] Critical: thunderbird security update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Critical: thunderbird security update

Advisory ID: RHSA-2012:1089-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1089.html

Issue date: 2012-07-17

CVE Names: CVE-2012-1948 CVE-2012-1951 CVE-2012-1952

CVE-2012-1953 CVE-2012-1954 CVE-2012-1955

CVE-2012-1957 CVE-2012-1958 CVE-2012-1959

CVE-2012-1961 CVE-2012-1962 CVE-2012-1963

CVE-2012-1964 CVE-2012-1967

=====================================================================

 

1. Summary:

 

An updated thunderbird package that fixes multiple security issues is now

available for Red Hat Enterprise Linux 5 and 6.

 

The Red Hat Security Response Team has rated this update as having critical

security impact. Common Vulnerability Scoring System (CVSS) base scores,

which give detailed severity ratings, are available for each vulnerability

from the CVE links in the References section.

 

2. Relevant releases/architectures:

 

RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

 

3. Description:

 

Mozilla Thunderbird is a standalone mail and newsgroup client.

 

Several flaws were found in the processing of malformed content. Malicious

content could cause Thunderbird to crash or, potentially, execute arbitrary

code with the privileges of the user running Thunderbird. (CVE-2012-1948,

CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,

CVE-2012-1962, CVE-2012-1967)

 

Malicious content could bypass same-compartment security wrappers (SCSW)

and execute arbitrary code with chrome privileges. (CVE-2012-1959)

 

A flaw in the way Thunderbird called history.forward and history.back could

allow an attacker to conceal a malicious URL, possibly tricking a user

into believing they are viewing trusted content. (CVE-2012-1955)

 

A flaw in a parser utility class used by Thunderbird to parse feeds (such

as RSS) could allow an attacker to execute arbitrary JavaScript with the

privileges of the user running Thunderbird. This issue could have affected

other Thunderbird components or add-ons that assume the class returns

sanitized input. (CVE-2012-1957)

 

A flaw in the way Thunderbird handled X-Frame-Options headers could allow

malicious content to perform a clickjacking attack. (CVE-2012-1961)

 

A flaw in the way Content Security Policy (CSP) reports were generated by

Thunderbird could allow malicious content to steal a victim's OAuth 2.0

access tokens and OpenID credentials. (CVE-2012-1963)

 

A flaw in the way Thunderbird handled certificate warnings could allow a

man-in-the-middle attacker to create a crafted warning, possibly tricking

a user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)

 

The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6

introduced a mitigation for the CVE-2011-3389 flaw. For compatibility

reasons, it remains disabled by default in the nss packages. This update

makes Thunderbird enable the mitigation by default. It can be disabled by

setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before

launching Thunderbird. (BZ#838879)

 

Red Hat would like to thank the Mozilla project for reporting these issues.

Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill

McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby

Holley, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan

Bhargavan, and Matt McCutchen as the original reporters of these issues.

 

Note: None of the issues in this advisory can be exploited by a

specially-crafted HTML mail message as JavaScript is disabled by default

for mail messages. They could be exploited another way in Thunderbird, for

example, when viewing the full remote content of an RSS feed.

 

All Thunderbird users should upgrade to this updated package, which

contains Thunderbird version 10.0.6 ESR, which corrects these issues. After

installing the update, Thunderbird must be restarted for the changes to

take effect.

 

4. Solution:

 

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/knowledge/articles/11258

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

838879 - Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird

840201 - CVE-2012-1948 CVE-2012-1949 Mozilla: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) (MFSA 2012-42)

840205 - CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 Mozilla: Gecko memory corruption (MFSA 2012-44)

840206 - CVE-2012-1955 Mozilla: Spoofing issue with location (MFSA 2012-45)

840208 - CVE-2012-1957 Mozilla: Improper filtering of javascript in HTML feed-view (MFSA 2012-47)

840211 - CVE-2012-1958 Mozilla: use-after-free in nsGlobalWindow::PageHidden (MFSA 2012-48)

840212 - CVE-2012-1959 Mozilla: Same-compartment Security Wrappers can be bypassed (MFSA 2012-49)

840214 - CVE-2012-1961 Mozilla: X-Frame-Options header ignored when duplicated (MFSA 2012-51)

840215 - CVE-2012-1962 Mozilla: JSDependentString::undepend string conversion results in memory corruption (MFSA 2012-52)

840220 - CVE-2012-1963 Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53)

840222 - CVE-2012-1964 Mozilla: Clickjacking of certificate warning page (MFSA 2012-54)

840259 - CVE-2012-1967 Mozilla: Code execution through javascript: URLs (MFSA 2012-56)

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-10.0.6-1.el5_8.src.rpm

 

i386:

thunderbird-10.0.6-1.el5_8.i386.rpm

thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm

 

x86_64:

thunderbird-10.0.6-1.el5_8.x86_64.rpm

thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm

 

RHEL Optional Productivity Applications (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.6-1.el5_8.src.rpm

 

i386:

thunderbird-10.0.6-1.el5_8.i386.rpm

thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm

 

x86_64:

thunderbird-10.0.6-1.el5_8.x86_64.rpm

thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm

 

Red Hat Enterprise Linux Desktop (v. 6):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-10.0.6-1.el6_3.src.rpm

 

i386:

thunderbird-10.0.6-1.el6_3.i686.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm

 

x86_64:

thunderbird-10.0.6-1.el6_3.x86_64.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-10.0.6-1.el6_3.src.rpm

 

i386:

thunderbird-10.0.6-1.el6_3.i686.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm

 

ppc64:

thunderbird-10.0.6-1.el6_3.ppc64.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.ppc64.rpm

 

s390x:

thunderbird-10.0.6-1.el6_3.s390x.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.s390x.rpm

 

x86_64:

thunderbird-10.0.6-1.el6_3.x86_64.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-10.0.6-1.el6_3.src.rpm

 

i386:

thunderbird-10.0.6-1.el6_3.i686.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm

 

x86_64:

thunderbird-10.0.6-1.el6_3.x86_64.rpm

thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2012-1948.html

https://www.redhat.com/security/data/cve/CVE-2012-1951.html

https://www.redhat.com/security/data/cve/CVE-2012-1952.html

https://www.redhat.com/security/data/cve/CVE-2012-1953.html

https://www.redhat.com/security/data/cve/CVE-2012-1954.html

https://www.redhat.com/security/data/cve/CVE-2012-1955.html

https://www.redhat.com/security/data/cve/CVE-2012-1957.html

https://www.redhat.com/security/data/cve/CVE-2012-1958.html

https://www.redhat.com/security/data/cve/CVE-2012-1959.html

https://www.redhat.com/security/data/cve/CVE-2012-1961.html

https://www.redhat.com/security/data/cve/CVE-2012-1962.html

https://www.redhat.com/security/data/cve/CVE-2012-1963.html

https://www.redhat.com/security/data/cve/CVE-2012-1964.html

https://www.redhat.com/security/data/cve/CVE-2012-1967.html

https://access.redhat.com/security/updates/classification/#critical

https://rhn.redhat.com/errata/RHBA-2012-0337.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2012 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFQBb2LXlSAg2UNWIIRAlYlAKCbJcD7/fLADRtQ3zfCf60z9+D5nQCgoIBO

ZsU0p96A9fzg6QvLWUu8roA=

=VphK

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×