Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2534 thunderbird security update 27 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-30547 CVE-2021-29976 CVE-2021-29970 CVE-2021-29969 Reference: ASB-2021.0120 ESB-2021.2502 ESB-2021.2433 ESB-2021.2424 ESB-2021.2422 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:2882 https://access.redhat.com/errata/RHSA-2021:2883 https://access.redhat.com/errata/RHSA-2021:2881 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2021:2882-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2882 Issue date: 2021-07-26 CVE Names: CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.12.0. Security Fix(es): * Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) * Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) * Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) * chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1970109 - CVE-2021-30547 chromium-browser: Out of bounds write in ANGLE 1982013 - CVE-2021-29970 Mozilla: Use-after-free in accessibility features of a document 1982014 - CVE-2021-29976 Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 1982015 - CVE-2021-29969 Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: thunderbird-78.12.0-2.el8_1.src.rpm ppc64le: thunderbird-78.12.0-2.el8_1.ppc64le.rpm thunderbird-debuginfo-78.12.0-2.el8_1.ppc64le.rpm thunderbird-debugsource-78.12.0-2.el8_1.ppc64le.rpm x86_64: thunderbird-78.12.0-2.el8_1.x86_64.rpm thunderbird-debuginfo-78.12.0-2.el8_1.x86_64.rpm thunderbird-debugsource-78.12.0-2.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-29969 https://access.redhat.com/security/cve/CVE-2021-29970 https://access.redhat.com/security/cve/CVE-2021-29976 https://access.redhat.com/security/cve/CVE-2021-30547 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYP6emtzjgjWX9erEAQgxlw/+Nbc7Hi9vBnO/nbrhjHjeG1AEp1MBtNWc FLiuEiL6CL/JqhRQxzrGnJPWclQdwnNPX/8dydzFaEWw/trfuJxMAzCbRnNyPdVn +iKndtOLViCV90YKutSFU26ODDffdXTiPuLOXN3zxlnrKnmOwxBMwkfY1mzWJgrf H8azyQBzrnza1hipcbmJFZgS4mEUUjnkg3C90y3AjQOB5qqtdqqzm4N38B38x5AM oFWFMPj19YIAw/um5MhX78S09dBNsNz+4VjdHphowiMx7hJz1vJeyjnBs+LrL1iD LVrHkBg1rF0TPQZtvr606B9+v5aUe+8vXCpLmq10BG0NSk4RFn6aMiAPqguct4Gk p6MPfGm2DzPdK+qnF/+VGSvUssykCb1bXWRZz2yzzNngAblf+bmPql0CwN992xWP qaS6b0Czd9Blv86ooKE07psIQ7h55/wd6qDX9y5K04RF4BJ1pjsLUevxYlYUMsOx 00W/Mo2j/8QAyRp24bKYpWTBjvZ27MY6Umylc2u9OWjLOB8VSUVynRoz65QJPqT7 cQeYgBG8pyZwJc339pge8FoO/MZMC7yKoJ9B6rXfv9jxqeRjsD4aUV2li6TGkh28 3fOL7osmzHjSL3y+rrhaK0N6XdM88ssaQscNqRvXKR8W8JoskJANK3qKyoWiNz9D 4RXGOOflfdE= =R5hS - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2021:2883-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2883 Issue date: 2021-07-26 CVE Names: CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.12.0. Security Fix(es): * Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) * Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) * Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) * chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1970109 - CVE-2021-30547 chromium-browser: Out of bounds write in ANGLE 1982013 - CVE-2021-29970 Mozilla: Use-after-free in accessibility features of a document 1982014 - CVE-2021-29976 Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 1982015 - CVE-2021-29969 Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: thunderbird-78.12.0-3.el8_4.src.rpm aarch64: thunderbird-78.12.0-3.el8_4.aarch64.rpm thunderbird-debuginfo-78.12.0-3.el8_4.aarch64.rpm thunderbird-debugsource-78.12.0-3.el8_4.aarch64.rpm ppc64le: thunderbird-78.12.0-3.el8_4.ppc64le.rpm thunderbird-debuginfo-78.12.0-3.el8_4.ppc64le.rpm thunderbird-debugsource-78.12.0-3.el8_4.ppc64le.rpm s390x: thunderbird-78.12.0-3.el8_4.s390x.rpm thunderbird-debuginfo-78.12.0-3.el8_4.s390x.rpm thunderbird-debugsource-78.12.0-3.el8_4.s390x.rpm x86_64: thunderbird-78.12.0-3.el8_4.x86_64.rpm thunderbird-debuginfo-78.12.0-3.el8_4.x86_64.rpm thunderbird-debugsource-78.12.0-3.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-29969 https://access.redhat.com/security/cve/CVE-2021-29970 https://access.redhat.com/security/cve/CVE-2021-29976 https://access.redhat.com/security/cve/CVE-2021-30547 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYP6lZtzjgjWX9erEAQioiQ//esCOgCxe3KN9r1O8Ora78r4iJryDtYgZ 8u4pztT3u//ut7Q9lUDoNRe5mMkDgVdG8svGUO9Eh/uGS/OniBrlWzYjMZG526+2 64Nsgc2Cizomn1DfwosH98P5PA2wHcsOw4Oz2K2f4j4Nrb+iXgfdyAH1DjC/HU7j Qjm3WEiZBKJwUm3pgCedRNy2p6k3+83aLtf64RvifMwmFceRaHvL1BK+WctT3hpM A23JlRv2AGM4RIFds4bMO+FDcQ3pmUfGN0VfMw+vlahAR6SFau5IhA2wvKohS30V 6duHaiN/gAh7i2Ja4OVOaPMSBrRgfpKgBmJqnDwUS1ORx6SpsJ/aP2w7ySOoKOcJ dJQ0hnf58E2RawiegyKFt13B+xKGPHHGg7jy1YtRax3qvcInA8pYVUGa4idNpziS 2f224Kz0aU6eJJF2OxDlG2e/+azkrLX6R5cGKtsOsQDhd5h4vE1lfeemR0t3SJtv lhJQrdamauG9zzbuKYJfEbqQgeegZgzy3O6tNCecMJqE1Ek7kAN4uDrI2fYU3UbT caiyO4fH2Tga2X5Mmz7M2Si/4kgYn7k++1ji+JrDm9LIYqccctdMKeEmQOiUbt4q HXSfuUriOpbUSmRWkgLf4NhYPClJAT7S0HLuAgwnqQXyT88gEqer+o42U9vDXsNP Z27j+IQccD4= =McE0 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2021:2881-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2881 Issue date: 2021-07-26 CVE Names: CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.12.0. Security Fix(es): * Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969) * Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970) * Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976) * chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1970109 - CVE-2021-30547 chromium-browser: Out of bounds write in ANGLE 1982013 - CVE-2021-29970 Mozilla: Use-after-free in accessibility features of a document 1982014 - CVE-2021-29976 Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 1982015 - CVE-2021-29969 Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-78.12.0-2.el7_9.src.rpm x86_64: thunderbird-78.12.0-2.el7_9.x86_64.rpm thunderbird-debuginfo-78.12.0-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-78.12.0-2.el7_9.src.rpm ppc64le: thunderbird-78.12.0-2.el7_9.ppc64le.rpm thunderbird-debuginfo-78.12.0-2.el7_9.ppc64le.rpm x86_64: thunderbird-78.12.0-2.el7_9.x86_64.rpm thunderbird-debuginfo-78.12.0-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-78.12.0-2.el7_9.src.rpm x86_64: thunderbird-78.12.0-2.el7_9.x86_64.rpm thunderbird-debuginfo-78.12.0-2.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-29969 https://access.redhat.com/security/cve/CVE-2021-29970 https://access.redhat.com/security/cve/CVE-2021-29976 https://access.redhat.com/security/cve/CVE-2021-30547 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYP6ng9zjgjWX9erEAQjm7RAAh38uRcanzH/juHmhknn+JBL0KYhZJrVY MxA1gikinbH7xJDqBZgSDcGmur5Vmyq4mNxAHoo3mAXloynvrCYxKYeKSIee2nfM yTCRpYTCKLI6wTS+p6XqLt+kgjaoFldh82gBplaBEmUn48/aKFfkyWkR8heFPW75 U7tRnZHcHGxxyUdQL6nkYlD0aOzL4c/lYKu8uslpFN8XPgq7t5sx9faDOY84hIHl 8JtzHwyV/iXy4uU1WazTqsbSHsEy+Gh/J2H5U3PZKXgEC2nuubLdrqta+NgkuZZI uVNFk/lMt3ALQmM8XnIeLIiiXOuIaZXV0plfyCnFhGNNGsfjCGbqd+d/A6PQAGqC ehljC38OeXlu5hVYqOijlk6y3MfTAPzRP/egTISWcF9R9URa5qe2fTrI6jjoVmXt soviMUm4IR5S7TZyWgtrQrn6AB6bFCzU9w2A6RlVv7uagZisRbfi8nNcRxSMuTqi 4ssevVmO8BpsLgYUkdBUHOsVS3NVqFyefitiOtsyksLFr6De0kFVgIyFBXVuMAGq ZHIwKPQDhJ567686yVfpl4t++ye1JSbe367xs7VQgkmE4nsyVcMVA/CECiTH35ZP Qz++Mvo3wm4isefksh68GJumTesYmuPrHO2uYqv14hiOp7SfLfht4phpyH3sYld8 5nIDpoq6t4o= =RA8/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYP9HlONLKJtyKPYoAQjFrg/8CyoZIi4WZ6193b+45TLCvOBJffpwal+5 UxvB0AVGN4hPzhxLo5wTS99DatB2h5tqgL9V0n8jy/qU7xm3+UHW2fCN3QtI8HM5 WJHmNCh04RvXuZRK1UGylPGoRRtmTXmRf4XMhjoAa39fKamah3KNyJc+Jgb3I6Uw iZ3+pLBGFO0WqRmTvXhkjMHdlJuowiq6JQXKyDEZoFWB8NFIsVWhF/RLMrAJDZx/ 5wqCGSG9EaYigvQabKmi3mWie1JNUStkW0DE7Nz3uGhkxhlD+/D83vzZQn1ScF3O GdIHTNWD0iWGLr775bFrYMR5RfrH8DJsyKvuhtC+742JNrUOGsJOBM3ir/o3BvXZ eOK4yOruabEOun8TBoIGQTxcjXm2OHfGuZOPyOuEv8jZIAsmwbFZ5jIpHjaMrefR h7aVdK3uKGyczNONUZlthkHVTdZ1+26j0qxYq0xXUVOpYhH30hZQSmw3oTR6+S/5 BLVua6auIOt7yTOMYtVeYtKaOBNmz/wKg49Q9vYv4kZyTc2KhtGEv0b6IqzAe/jt Abrt0eORT7V1hPSKzX3VmJPZi9NHvK4U0NJGkffu+13yloOq4zDZ2GwddxnRvKjK CuKUCy2DT0XP+u/LMqEr+d3iNPvarWUcN/jEFYyJoHn83ZzleMIdpNt3pRl+uJzG 9cHl3cUw9Xg= =otXi -----END PGP SIGNATURE-----