Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0989
thunderbird security update
20 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-6814 CVE-2020-6812 CVE-2020-6811
CVE-2020-6807 CVE-2020-6806 CVE-2020-6805
CVE-2019-20503
Reference: ESB-2020.0932
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:0905
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2020:0905-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0905
Issue date: 2020-03-19
CVE Names: CVE-2019-20503 CVE-2020-6805 CVE-2020-6806
CVE-2020-6807 CVE-2020-6811 CVE-2020-6812
CVE-2020-6814
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 68.6.0.
Security Fix(es):
* Mozilla: Use-after-free when removing data about origins (CVE-2020-6805)
* Mozilla: BodyStream::OnInputStreamReady was missing protections against
state confusion (CVE-2020-6806)
* Mozilla: Use-after-free in cubeb during stream destruction
(CVE-2020-6807)
* Mozilla: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
(CVE-2020-6814)
* Mozilla: Out of bounds reads in sctp_load_addresses_from_init
(CVE-2019-20503)
* Mozilla: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
(CVE-2020-6811)
* Mozilla: The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
(CVE-2020-6812)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1812199 - CVE-2020-6805 Mozilla: Use-after-free when removing data about origins
1812200 - CVE-2020-6806 Mozilla: BodyStream::OnInputStreamReady was missing
protections against state confusion
1812201 - CVE-2020-6807 Mozilla: Use-after-free in cubeb during stream destruction
1812202 - CVE-2020-6811 Mozilla: Devtools' 'Copy as cURL' feature did not fully
escape website-controlled data, potentially leading to command injection
1812203 - CVE-2019-20503 Mozilla: Out of bounds reads in sctp_load_addresses_from_init
1812204 - CVE-2020-6812 Mozilla: The names of AirPods with personally identifiable
information were exposed to websites with camera or microphone permission
1812205 - CVE-2020-6814 Mozilla: Memory safety bugs fixed in Firefox 74 and Firefox
ESR 68.6
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
thunderbird-68.6.0-1.el7_7.src.rpm
x86_64:
thunderbird-68.6.0-1.el7_7.x86_64.rpm
thunderbird-debuginfo-68.6.0-1.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source:
thunderbird-68.6.0-1.el7_7.src.rpm
ppc64le:
thunderbird-68.6.0-1.el7_7.ppc64le.rpm
thunderbird-debuginfo-68.6.0-1.el7_7.ppc64le.rpm
x86_64:
thunderbird-68.6.0-1.el7_7.x86_64.rpm
thunderbird-debuginfo-68.6.0-1.el7_7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
thunderbird-68.6.0-1.el7_7.src.rpm
x86_64:
thunderbird-68.6.0-1.el7_7.x86_64.rpm
thunderbird-debuginfo-68.6.0-1.el7_7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20503
https://access.redhat.com/security/cve/CVE-2020-6805
https://access.redhat.com/security/cve/CVE-2020-6806
https://access.redhat.com/security/cve/CVE-2020-6807
https://access.redhat.com/security/cve/CVE-2020-6811
https://access.redhat.com/security/cve/CVE-2020-6812
https://access.redhat.com/security/cve/CVE-2020-6814
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXnNcb9zjgjWX9erEAQisWQ//fOlMRD7g2O2MD3Rx6/fOLznMFU8OQse8
/amRQJgQFsC/Zjbvb5IN0gmbJEYojb7leBmebk1bNMuPyYbHQXr23U6Z2mdmEDZR
IkURdWeEuJmX3Pzb5tcuPGspdjTeMPhqa5BrQtrjYQBTr0Ej48K/8ToHWgcC6GvO
Bei0rWnEqs5KOBLOGcFhyUL0HRP7LlDRVIO4D5G312MP+K3oap6++AHVgfDu24/z
aywGVjv6y9XE+TTN7s4+5SfKTQUXlyx/zS0+DFlnCNXmT6MOhjdqFHDM+dls+/aV
h2frnasfXcuGqarpFwlX6LkV6Tkp73SRMew7/4nvA8137b6W6EdL+vIwV3HMMadc
/s6008op7GERccM6qnR0vzQyw23jvCW1DHnzC0Gpr93y6zT82Mc9F305qAt7K4ca
XdHfeMB7eSphlFpmBjOTgSigw02IEAsybx3ZzaKNky6Hu3KE9uMcdzeBQmzxYu74
2hLPyeTNdFQP/Raljx6kdg3+OSYylVccjC8z9G/Ypfp0DoHnbTapc2/cnnMINZKS
ZkTltuIvzNcYTzLlnmjWzAXtc72UNCgjM2Q0ZFXzCYrSxG41hn4z2Zs3ttN14FZw
mH/EtzvbeX9i0Boq+QROsEgzmuk1C9epKob2+QsmqQbEeznDZHLMVW3wvkAuE3Ci
RRrIRB36LQk=
=iMeO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnQRAWaOgq3Tt24GAQgOnxAAsKfIsgNpRb2KLl5pD3OEw6lEaMGKWlBF
v06s+WQ3aLEyukfVVrCSAaZiM6/JD+HLTDY+TEf9JIHMJDEabNGT7wvyQPctJ0W4
GdxRNn+xyKiiyBOihJx84vMjoDKWNQFDrnqC7ky+oLtTitPmn1d7oQfUtCxI7T7x
6Ly1wnzMastvpkDrdwkxwLpN3AG0AkKt4/KkZ350PTJiHju29ODCEaqSMRZjUhyM
w6E3cVJ9HRW30tHy6rNE5G2O/m5N9+tkIEdNq+n/Uw9mU0JgJLSGoniujuII5Jpx
KJa3fQFp/4oe5QiteDSw1IFf1SW58W/KmsKpQMaAYNjYIN+CktL0IayeoMhVKtZN
RRxD+9VPUZCNzhIrZxC+vXSnTszqBr6bvOa1gTKJS6ywDbZUB+IZgXE++7o6mvGE
zjDweuckpvRkRbxPMQr3U+ZNy6mamj167zMXDI9UC3tog9pZJq9srVEP9aolIv8E
r/iVQGYRvHCXSGBLitHeOsv65/zLXRhhDnWMbfJl86SgBpu7wQATsxhP8a1JXxR7
B9WBMYrI/vybw9cxM/j1u61wpHQgLQsqQFd5lUSCAvVoCKOfIuga83dxtjJw/M/Y
zoK+EQTqBOePJVTV9gOmx/EM5XPwNtQ23r8HsuUgCim7Ohc6H5R7A8idHqbIe7Va
PG279ZnGJDE=
=Nb8X
-----END PGP SIGNATURE-----