Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1649 Red Hat thunderbird - multiple vulnerabilities 12 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-12397 CVE-2020-12395 CVE-2020-12392 CVE-2020-12387 CVE-2020-6831 Reference: ESB-2020.1630 ESB-2020.1629 ESB-2020.1626 ESB-2020.1602 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2046 https://access.redhat.com/errata/RHSA-2020:2047 https://access.redhat.com/errata/RHSA-2020:2048 https://access.redhat.com/errata/RHSA-2020:2049 https://access.redhat.com/errata/RHSA-2020:2050 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2020:2046-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2046 Issue date: 2020-05-11 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.8.0. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * usrsctp: Buffer overflow in AUTH chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) * Mozilla: Sender Email Address Spoofing using encoded Unicode characters (CVE-2020-12397) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 1832565 - CVE-2020-12397 Mozilla: Sender Email Address Spoofing using encoded Unicode characters 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: thunderbird-68.8.0-1.el8_2.src.rpm aarch64: thunderbird-68.8.0-1.el8_2.aarch64.rpm thunderbird-debuginfo-68.8.0-1.el8_2.aarch64.rpm thunderbird-debugsource-68.8.0-1.el8_2.aarch64.rpm ppc64le: thunderbird-68.8.0-1.el8_2.ppc64le.rpm thunderbird-debuginfo-68.8.0-1.el8_2.ppc64le.rpm thunderbird-debugsource-68.8.0-1.el8_2.ppc64le.rpm x86_64: thunderbird-68.8.0-1.el8_2.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el8_2.x86_64.rpm thunderbird-debugsource-68.8.0-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/cve/CVE-2020-12397 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrkaKtzjgjWX9erEAQggnA/9FTwtpryBdxSC3QzCisP1pqfW13og6luN yvG/tawTem/OxYBSEho5mZKImf/RTr/9ba7nDlmvaAJH/JgZd1ECYbtCYK82Fmfx IOeio835kRPpON0tsKWfgCaFow4rWSMNb9RYMzVw3zsnwc0UQK7KbwMmYr/HbqWQ HZ3jv5+TayN++G6l3qRmYGfMNHfhQxHTGAXhLhdS9xG9sDwnUYXkmjuz/2K3mQl/ gCmiF0uHiWbwfT2XrsBZmkvoHbcmM0+YTiK69/ZH2oqfBZ33JFR11RbYt0F4Xope xu119P61B5ZsS8ENpr4oHZJtSSeaMlkJYZfRFpjgmRGQkobOj7m1YJFXq0fUQy+a mcMAfVyIYGciANPUMluADUJij01R4x957qBeol+OxozqSOyJRtgCFpQ/s5zTkg2N 4Bii7usE/Y/ud4T25iEJ7SJby4cGKlTjbubAKrFeuWfzjvfPuMCUo0RLMu2KLIr4 0f1e2zmLaC55n+yHwBRdlPEkHvqo3Q0BjjVcn+80ZLZFxYupyQwOY+cTrHZ5g8Gz Mc4EJc6QzP3xfwfd9mVuBtARI56UjaOrJIuYA11Oikxh6R13ycPiMWxWaMEwj4iq scx7h0TsxIr7Mm0EFGWmGxjLYxNMHKxcC0sCDK2XdcjMjakfSjAxfESu2J4SGtVa O+x+jlcvuuA==yhGn - -----END PGP SIGNATURE----- - --------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2020:2047-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2047 Issue date: 2020-05-11 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.8.0. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * usrsctp: Buffer overflow in AUTH chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) * Mozilla: Sender Email Address Spoofing using encoded Unicode characters (CVE-2020-12397) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 1832565 - CVE-2020-12397 Mozilla: Sender Email Address Spoofing using encoded Unicode characters 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: thunderbird-68.8.0-1.el8_1.src.rpm ppc64le: thunderbird-68.8.0-1.el8_1.ppc64le.rpm thunderbird-debuginfo-68.8.0-1.el8_1.ppc64le.rpm thunderbird-debugsource-68.8.0-1.el8_1.ppc64le.rpm x86_64: thunderbird-68.8.0-1.el8_1.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el8_1.x86_64.rpm thunderbird-debugsource-68.8.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/cve/CVE-2020-12397 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrkVetzjgjWX9erEAQgK4A/+JBva0K3KHevBLTVmXWf0KQKcJ9O+PWnY +bwEvUd6M8pl7FiQ9LPZZEv6HTJ2HP5kcjVUAFyB/niTFEJ2iXZZpLkEoAyZsTe1 7/xEttvCXe7EVEvy6yw0VKXANA4w3zaR+cva73yCCjFiubXXRZstbnZZoIUSHz82 ZCAHAQfgLHafIZ8UmB/0B+Ojn2jippA38J7ge8RikIvsdaZAAW/fMJbrWQ67tYLB 60E0A40btxBLecaWCKWnv86BlsrVrFCGGuYeftiTEjNOvxSVTB7ItToLl7Inh1k7 I1/UV5hIL7isWLa4Li5X3Yw2GBy0+rgXfh6iWgjiCKDHsh3vaNUdoAhEFmyAcKqg aRba1I+hNdpir52sWtLFu5/ZWpHGIGOzXMamLgnGIUGdBOJZRAOOk5egAzJe+HwZ zbFyAlLEUKuR8FdG4r0IFBlwkDEENj9EdK2ffZ84c2Lx+cgKJvNgg7YFc/OfUz0Y m3rATPUmiydbi3O5pr4uI0LuacHPIv7KaBQ63bsanFFcE39aq2xiDaMsbPDmC1aS e7XbY1PGYHT3Xuhugc68lsi0l4KFj5jwRkVGpbeFoW9nsmTs6fXosxlTmuvcv/JN EYA4b4mDDCTkQ2WVrgcFf7cBOeKmX77pfTwmRgda8Sp95Lw0OPRWTd06uJ/hUnfr rdmB8yfozec==BILl - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2020:2048-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2048 Issue date: 2020-05-11 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.8.0. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * usrsctp: Buffer overflow in AUTH chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) * Mozilla: Sender Email Address Spoofing using encoded Unicode characters (CVE-2020-12397) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 1832565 - CVE-2020-12397 Mozilla: Sender Email Address Spoofing using encoded Unicode characters 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: thunderbird-68.8.0-1.el8_0.src.rpm ppc64le: thunderbird-68.8.0-1.el8_0.ppc64le.rpm thunderbird-debuginfo-68.8.0-1.el8_0.ppc64le.rpm thunderbird-debugsource-68.8.0-1.el8_0.ppc64le.rpm x86_64: thunderbird-68.8.0-1.el8_0.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el8_0.x86_64.rpm thunderbird-debugsource-68.8.0-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/cve/CVE-2020-12397 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrkS59zjgjWX9erEAQi7wA/5AaaqJBzsCzWH3W+QKsBc+ha8eiyLP17m M03/6UCGPD3ZekneZDyuVNgasWdsW2v0ApgBgD8JTLBwO4Q8gsC4kPzpLdUJ4D+T e6tIf2WFrTfnX3esjd4t73v4Ybrdsbqe0tzZjUx8MfJ6hJ4R7sdoQ0B7h/CsoMtO cOSqeS6PAGmJv6B/B1BGuX2ogTcdfSwcQ+VyaSPCrtSMPz/IK4/5UJC1tzEJ/HWM CsB//KE9/rc76kJHa80V2/AYnEPxdCO78vv6z9xtOxJ6X5W4phW7qfZgx+eWqxY/ V155F8U6rnnWP25QS0SYgMa2+e3mVjWPBJBnEd5Uj6nISXsP2HkuO4mTyjU/Rgl5 Y6NpRKaQsFHU8uvXVp4u8abL2q0FqWhEMCpeh1TVkukJBLB2/ZRog3g05mgryh5p MO0qf8WJTSyqkKeIwch3EIe0PON8aBirkMvUNB9ncqXkXy5vHCPjiePlHF/AhWcN bPpvoVCnBKBKSegHNwEAZfcDvBi140KPsOo2Wlwz4ngf0cNR/vEPsxj5MxxJbgPQ IBDa/dXWONRe5cRf2+tb/ml09dFWuB/mpTSi6rn5NtscMDKrSGtgAH4YFs7XZX/u rcRdgIOWRYVuqw1Jxr6Bipndc0SigSI1l7k4AN6CST0y3t8yOGLoZj1V/xWKUI1C ukFsLrI4fIU==V2be - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2020:2049-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2049 Issue date: 2020-05-11 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.8.0. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * usrsctp: Buffer overflow in AUTH chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) * Mozilla: Sender Email Address Spoofing using encoded Unicode characters (CVE-2020-12397) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 1832565 - CVE-2020-12397 Mozilla: Sender Email Address Spoofing using encoded Unicode characters 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-68.8.0-1.el6_10.src.rpm i386: thunderbird-68.8.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.8.0-1.el6_10.i686.rpm x86_64: thunderbird-68.8.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-68.8.0-1.el6_10.src.rpm i386: thunderbird-68.8.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.8.0-1.el6_10.i686.rpm ppc64: thunderbird-68.8.0-1.el6_10.ppc64.rpm thunderbird-debuginfo-68.8.0-1.el6_10.ppc64.rpm s390x: thunderbird-68.8.0-1.el6_10.s390x.rpm thunderbird-debuginfo-68.8.0-1.el6_10.s390x.rpm x86_64: thunderbird-68.8.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-68.8.0-1.el6_10.src.rpm i386: thunderbird-68.8.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.8.0-1.el6_10.i686.rpm x86_64: thunderbird-68.8.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/cve/CVE-2020-12397 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrkcRtzjgjWX9erEAQh8ABAApwt3Xmww6MNPt8NVnDTvoA+d4jE2FlAv 3+aCwhvM8jvKx1QLLXwt3vKi4zsX64Wx5loiBVEh9l3maRyjZOCdgbJTw4T0rcwW QiguheSG1s8xk62eZhYznyEjCIVWdrJwJ6049rtHxY53Kvzqrq+07+RrC/ndoewq 16hI7WeWAScBg6IxhiiPgV0q0wzWR13QE+dgxX9Q6CrIMe7cJp0POnyY5UmBSMdf RC0CBBxBv8gwmVpz4gmfZGH+jvmopsQdk0Sxone4Nbys0j4Fdz3vwfhBr+/SunD8 JlGP5klpjS9UE6HbLFOlGK5M9IZPKaS7Vb3yDBP1SUclYO4fUG9Ghvz9PKGuZ6In AE8msdXS4XugG9Vb+AeSV6Xs13CkWNJFUpRZ0I3/XX4l6IO0E1bKEkL7/rOJfIbn 9M5wgenHd5sFunDmZLXZDYBCKaormWXtq3qqurc6w2idp8ZiNskJeDRkRxtc1PUt x7IT50FvEdSK8CWwtGVbiZ99Yd18aWt+PFPYIEKMPkiKwccfqFvDL45druRH4e85 GH4OU7YisoWlQU7AZqXTidbFCSq1dxBHl1nC2l5tPlSW37w+dYBlSt9D9hEuacFG oWJktroOjROWEOdDZDwh6r6oN3lt5TwWSaMgpedKGfcEMoEQO2iKVswbF0y0t+Mp ilDpQQNAa9E==Th1y - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2020:2050-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2050 Issue date: 2020-05-11 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.8.0. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * usrsctp: Buffer overflow in AUTH chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) * Mozilla: Sender Email Address Spoofing using encoded Unicode characters (CVE-2020-12397) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 1832565 - CVE-2020-12397 Mozilla: Sender Email Address Spoofing using encoded Unicode characters 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-68.8.0-1.el7_8.src.rpm x86_64: thunderbird-68.8.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-68.8.0-1.el7_8.src.rpm ppc64le: thunderbird-68.8.0-1.el7_8.ppc64le.rpm thunderbird-debuginfo-68.8.0-1.el7_8.ppc64le.rpm x86_64: thunderbird-68.8.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-68.8.0-1.el7_8.src.rpm x86_64: thunderbird-68.8.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.8.0-1.el7_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/cve/CVE-2020-12397 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrkgQ9zjgjWX9erEAQi7pw/7BHV6Us5wsSsWIOvWXCMcYXHLtPzulub2 AjQIiwYESD80DdZ7juroNkON4qz8za79Xcx8I/zoQyOC+JWfvGMitZn6foOEI7GV NkguuNELZyWA0c1vTwugU5orWiz325Z17J0YxR2J9HRNMB2pJbArv47OiP35gZly gMJhw5yErEG7xjCSb8MJzd8qRp1sPx9JiZMc0o47H5Dugq03jOp+/+c9tfJ5OSjO ZCxAc54y8ZHFfVzByxvs50D5A725zoMNUjStfaJf5o7fe3e106Dmj09rAmCaW3AF N3BOA7Iq2lFHOiZH/W0YIVxpWuR7yCb3S3ZCpHot5nn8b3TzLva6b1n/yBUd/3g4 uvjgBTZVPTC1d3KYQsZAwj8aINGlbRGXciGNPZQgTjmODRJP3mO4N0tREEendoqu 2aGS9v9IOV+gt2ON+YKEUQ4MUPNkHjs4wwGFfU5NOYOoN5vzG8TCbiq1o5xekdCu uKkiWI1K6++p6GoirFtAqUR7OaaECZBzenXILItVa+HsqcIXQKGf8H7EI9RlPxE+ wjOg2nNL5LzukpyH3T54F5JVKw6fPBfvtQn7jYKtINXBo4pY9T38X14bZXdycFje EiGZA3Ap3ypBlw2579o7Hg9UDMPnrV3fylYpIO4osOkZm2hswJJ/uuPE4u0kFTUZ zy0M5+fiEHA==L0/x - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrnbEmaOgq3Tt24GAQgR6Q//T2mKp8Dxw9ow3wtRVOOVCvmi8KJjUXTt CbQa3j9KE6zR2IPhvqjAyZjZzRYMOtqjFziqoOuEFgErwuPJJwAg3Zl0s/T9sE35 Xc7OJQC+rjJbaaqjhrmDfg4Im0b/pWPELU8Ws5yTO8OFjNjUKh1Ec5EsSASpPF+v qtKr2eVuzgL6gUECL9n6YR+m1tJuuuIDPn0KMaNLckh62nEIE9gi8TU3budIm5wP jN3BffM8bFzXTN5EC59BRmMPJ3OpRMi9df1jDoDAMHx8oxVl+AkSN9yRFIhtvPhk E/am/eQIlqL/OR6UhdVeQE33RbaN9ygf0RCRXOMH1QORgX56x33+25hMWtAV7u5Q Aa45b0kTRrhDiN4GTeMyKppY8j5KoMaMSVl/PptW8kWHehZ0F23dhX9hpnJaCEn0 6mLvHnOLXbPJ7XW4LNIS/aJ+pCTZbc7tFA0vEPp6L6akEAQqP+CAAhc3rL28iJBp LG5RjRNerYcbx+JHXtMbiA4ILIXZ+HrVwfj9PYZIJOIqPVS+4PM9l1KXcvvKbXLD k2FnTO2owQUGLz5a5i6BFATefhx/QLh1PE/NiAqJvILbcryCMLgArX8sS46oLoCo r4ZMr3KjABHi6AtckrSHG1cy6pTXh9/edGkBDnvsjZp9VjvaHBT3jewbIPwu5u/Z olfNWvsQE4A= =ITJa -----END PGP SIGNATURE-----