Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0660 thunderbird security update 25 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-6800 CVE-2020-6798 CVE-2020-6795 CVE-2020-6794 CVE-2020-6793 CVE-2020-6792 Reference: ASB-2020.0037 ASB-2020.0036 ESB-2020.0631 ESB-2020.0557 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:0574 https://access.redhat.com/errata/RHSA-2020:0576 https://access.redhat.com/errata/RHSA-2020:0577 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:0574-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0574 Issue date: 2020-02-24 CVE Names: CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.5.0. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 (CVE-2020-6800) * Mozilla: Out-of-bounds read when processing certain email messages (CVE-2020-6793) * Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords (CVE-2020-6794) * Mozilla: Crash processing S/MIME messages with multiple signatures (CVE-2020-6795) * Mozilla: Incorrect parsing of template tag could result in JavaScript injection (CVE-2020-6798) * Mozilla: Message ID calculation was based on uninitialized data (CVE-2020-6792) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1801918 - CVE-2020-6798 Mozilla: Incorrect parsing of template tag could result in JavaScript injection 1801920 - CVE-2020-6800 Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 1801955 - CVE-2020-6793 Mozilla: Out-of-bounds read when processing certain email messages 1801956 - CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords 1801957 - CVE-2020-6795 Mozilla: Crash processing S/MIME messages with multiple signatures 1801958 - CVE-2020-6792 Mozilla: Message ID calculation was based on uninitialized data 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-68.5.0-1.el6_10.src.rpm i386: thunderbird-68.5.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.5.0-1.el6_10.i686.rpm x86_64: thunderbird-68.5.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-68.5.0-1.el6_10.src.rpm i386: thunderbird-68.5.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.5.0-1.el6_10.i686.rpm ppc64: thunderbird-68.5.0-1.el6_10.ppc64.rpm thunderbird-debuginfo-68.5.0-1.el6_10.ppc64.rpm s390x: thunderbird-68.5.0-1.el6_10.s390x.rpm thunderbird-debuginfo-68.5.0-1.el6_10.s390x.rpm x86_64: thunderbird-68.5.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-68.5.0-1.el6_10.src.rpm i386: thunderbird-68.5.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.5.0-1.el6_10.i686.rpm x86_64: thunderbird-68.5.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6792 https://access.redhat.com/security/cve/CVE-2020-6793 https://access.redhat.com/security/cve/CVE-2020-6794 https://access.redhat.com/security/cve/CVE-2020-6795 https://access.redhat.com/security/cve/CVE-2020-6798 https://access.redhat.com/security/cve/CVE-2020-6800 https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXlPCR9zjgjWX9erEAQjCUQ//UOIkeE9YWGraRJR0HLmt085gZ2i559gv FRvd6Cv7pqtVXHOg48Z07D7BmB0Wue8hkGQtsfzvpvJaiLB/9/KPSNSlaV9CK+fl 8aEe04NkgL5t1lBKRU1V8GVRSbZrM8t8AdHhIec6CDyKfjXIxHTpBXbZAlvJSXdM lIPx6ekgCzxhgf8iu/5ytDBXriyoH3BB4jUMUONYR12qt4lvelltggh/LgQfSDtj ai7qv2wdnlYaZ3jYK7b5BKniwpa54h8AQdFHjFboC+Kk4dtq2jMsSjCoMk0vlbXN AjUTLW8aCra/7CuVBf9jxLDtTNjl5jxClZvuuFBUGXRRXe3FSZ95FJ9y3ccm9+eO wmiOhOFlKSZvQuTetEVi+1USvzfLrmIXOk5BL7Ckm6u9fhsl8looTbNAAFxOqnzk 1aGyob3Df1ueLl2s21wLb9QgWlddkXFuYFSsEV1uszr4sf/CiSEfNq+b6B8dMt5D oEwhVTGFRcE8fBLRwnEmcOlH72J8hPo+Uqvt5i9F1Ce9vUqjO2YjIF69GBVECXg7 Dhs7RZzABbBST3hEV2eEjQ5D+EEMpld5OyvneIVs4nblqMrMDZWUk/YHrew1GPP2 VAnYPdFxgNBaPAbI3Oz8/oZ2WHJSdg+7+smgWl4e9fIKxUV47cIka3lpgd3ZPJDm uUrg4PFm6+U= =GgQ+ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:0576-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0576 Issue date: 2020-02-24 CVE Names: CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.5.0. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 (CVE-2020-6800) * Mozilla: Out-of-bounds read when processing certain email messages (CVE-2020-6793) * Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords (CVE-2020-6794) * Mozilla: Crash processing S/MIME messages with multiple signatures (CVE-2020-6795) * Mozilla: Incorrect parsing of template tag could result in JavaScript injection (CVE-2020-6798) * Mozilla: Message ID calculation was based on uninitialized data (CVE-2020-6792) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1801918 - CVE-2020-6798 Mozilla: Incorrect parsing of template tag could result in JavaScript injection 1801920 - CVE-2020-6800 Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 1801955 - CVE-2020-6793 Mozilla: Out-of-bounds read when processing certain email messages 1801956 - CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords 1801957 - CVE-2020-6795 Mozilla: Crash processing S/MIME messages with multiple signatures 1801958 - CVE-2020-6792 Mozilla: Message ID calculation was based on uninitialized data 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-68.5.0-1.el7_7.src.rpm x86_64: thunderbird-68.5.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-68.5.0-1.el7_7.src.rpm ppc64le: thunderbird-68.5.0-1.el7_7.ppc64le.rpm thunderbird-debuginfo-68.5.0-1.el7_7.ppc64le.rpm x86_64: thunderbird-68.5.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-68.5.0-1.el7_7.src.rpm x86_64: thunderbird-68.5.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6792 https://access.redhat.com/security/cve/CVE-2020-6793 https://access.redhat.com/security/cve/CVE-2020-6794 https://access.redhat.com/security/cve/CVE-2020-6795 https://access.redhat.com/security/cve/CVE-2020-6798 https://access.redhat.com/security/cve/CVE-2020-6800 https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXlPGf9zjgjWX9erEAQiaxBAAhSh0ZMlG8eFGSgZIDJ8CzJLVqZUmAb1+ IEF1YU3HUcD0uL0dc8qX0JPVD+bWvBtXaKYwkS3+BP7oHCzpThmZEp5q1T1JU3QY lVajpvMA6HHeowlzwfO/ko67rPHCiSocODvNvRkYRaB53OG97G1wGteHdm/V35tw F+9fj+sGG5QxNFKi0PUUjLZflX2eo+6Htxbef4JLtoDzMRWOl6/CGv2gf+beAWnh vjK0llFNbxj3/atRH+7bg1y1/XRQFu1XOJ/eDyDqbE9dT3iT9FpZnu8grvoFOj3c 7aeeMe6Md6CS3Dsx5lLD/4808LyVJ6ErxtxkKFfJkHEbYL6K7ZO2rxp/PNKw2YNf CXMZvsi3E14xsMc3hFolWFXNqtU0MVWEcXq19/Rh+mPcHGqXAhsOy5D3i7XPQ5lH X7cZhe06JPahacbhFNoTUnSW2ox0gOmUHKSDMBKKTpkk0A66VsHLxKGZsHlhe1Oe /8JPb49EJaCTS+5V1EVb6N57nOStl4qw88Pa9dFLCx+EVTc4x52RETxDj/swsUWK Ans1TLKXEoMGz894DVSEyPjzDjCHR9ukfPrJhDj7hoC4JPAjgV0MuxfjTB4eWdVq yNkyeMjWFZda4b2LD3RRYjVah1lkmbBoufOrxwfayj1Mp85EJ3jW3kWCgtPK2irI ilrCA0XObnw= =ln35 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:0577-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0577 Issue date: 2020-02-24 CVE Names: CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.5.0. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 (CVE-2020-6800) * Mozilla: Out-of-bounds read when processing certain email messages (CVE-2020-6793) * Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords (CVE-2020-6794) * Mozilla: Crash processing S/MIME messages with multiple signatures (CVE-2020-6795) * Mozilla: Incorrect parsing of template tag could result in JavaScript injection (CVE-2020-6798) * Mozilla: Message ID calculation was based on uninitialized data (CVE-2020-6792) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1801918 - CVE-2020-6798 Mozilla: Incorrect parsing of template tag could result in JavaScript injection 1801920 - CVE-2020-6800 Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 1801955 - CVE-2020-6793 Mozilla: Out-of-bounds read when processing certain email messages 1801956 - CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords 1801957 - CVE-2020-6795 Mozilla: Crash processing S/MIME messages with multiple signatures 1801958 - CVE-2020-6792 Mozilla: Message ID calculation was based on uninitialized data 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: thunderbird-68.5.0-1.el8_1.src.rpm ppc64le: thunderbird-68.5.0-1.el8_1.ppc64le.rpm thunderbird-debuginfo-68.5.0-1.el8_1.ppc64le.rpm thunderbird-debugsource-68.5.0-1.el8_1.ppc64le.rpm x86_64: thunderbird-68.5.0-1.el8_1.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el8_1.x86_64.rpm thunderbird-debugsource-68.5.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6792 https://access.redhat.com/security/cve/CVE-2020-6793 https://access.redhat.com/security/cve/CVE-2020-6794 https://access.redhat.com/security/cve/CVE-2020-6795 https://access.redhat.com/security/cve/CVE-2020-6798 https://access.redhat.com/security/cve/CVE-2020-6800 https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXlO+x9zjgjWX9erEAQhNiw/9FVonQMYgOKOOId4YbhElaJ7o+2CnsG1A wLdgzGCe/C1h53Cu6ZEoj6Gu0KE3Nqwo82bMR9QuP6NkxH/HaN264Ij0eZoCyWLN 0IC3ANGk0TwGR4qyCI13g36aoAA/w/0O/pWw25w8muuolDGAR7E/rmrHpIapVjxx qoY9urr3Fpv9FIxBlU5f6nyzX2ylDudyrcuNGASh4LjWJ2ULqnQSi7Oac8Xi6eRO OreA+GsWBA7+bTm5YTO8BDOKBTc7ANEZ8jm0+aG0szMWcTtR0+v+VgDJsrm2dvmL eshLeqiCqRfhxlNQ4ELPyFcLP5Me5vCTxZL31qTsPg/nLDF3VelqETauZrWhFIr3 OcbKxZ8Vg7noMvzhb1wh+Kfm7YHcIMbz0mu5llPnY1YNbHim0ALb6pHKaYs85s5L VkzMWLvuOWx4SnFi31xZm6OJAGUhWoPQNTlgYlaSPV7TXHW1ORo5/omB2jhB0NxP nkMHFx/T/mPSLs7rvEGonTPFmBaUTi/9WpmPAD5w7clZ/i0a8LDJCbMj0hxYYSEJ cOPFQFeLtk1DSM32v6x3galS83oKCBGQi/WyIOD8EizaqzMHW/rTMo5D2YVSwOKD bW9kjnXIjoYgpmb6SXBRoM2FgtsXmI343D1GXn2sFGaTBdm9LooOyu/oMGhal1j3 DbCiPVzfo8s= =PaFH - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXlSWSmaOgq3Tt24GAQgcqw/9F+7GcrrYFFWSHXR3bszu13SmPVQMITns bgihkRJoqGJUyJARoQB7wE4OoohB3/IQ7G/+nmX8iaP8Exd0ffZDY21JaYk5+BE7 VpwkgyAv2gyWEQCUkEA3piKapo7/2c81KvoX65BmbcbBpa690Dm2J5t7QS0eJ8xi EJ4OlfxAC6vTDIbBzEppz07ZDbArMBFnTil/ZJJQIb6X4QllRCCrw4/oCLuRWJUT JrMxEngGpq5jjsHQFm93Jno3y1l1tN1dzQxkLcrLNsDBly+Mf7bBccZR27X+Iea8 mv2o5Ks4/qN0jHeSLNOx1wM+Df+mx9dc13U8SJ/ltNFt2SVhMDXnTqSV4MHpjI3T t8E+GAM+VKAw6mPGlDD1iT5mrgwKd6a2d2IG84nuNO0/1OzKJaE/XoYh/n2Nq/zB kkHYjouuwzlUcN7Cd5r9EsNcXe4JDv3bjKkuMU4nwRmWJFUn1cDDXGpSodfd2zV7 dwcf4PvD8eocs/k8OjuFLwp30fv0zxSt/2T8r3l1tojFMDbdSVWmDpXP6z/f7bUt qwQ5HRW/1JX/WasSHIQ8NRtfkglc4ArTPE1YQhVHuXoYVYdDwQBB97fS4L8A5hm4 YIrI5EpLclwXAFiqrhLpWGVhhgCfbYlkkyp5SnNeLqYLyeHR3Ur2RkUmsEU0bXJw PRYALj6Q++k= =HKif -----END PGP SIGNATURE-----