Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2137
thunderbird security update
19 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12410 CVE-2020-12406 CVE-2020-12405
CVE-2020-12398
Reference: ESB-2020.2058
ESB-2020.2049
ESB-2020.2000
ESB-2020.1970
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2611
https://access.redhat.com/errata/RHSA-2020:2616
https://access.redhat.com/errata/RHSA-2020:2613
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2020:2611-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2611
Issue date: 2020-06-18
CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406
CVE-2020-12410
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 68.9.0.
Security Fix(es):
* Mozilla: Security downgrade with IMAP STARTTLS leads to information
leakage (CVE-2020-12398)
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
thunderbird-68.9.0-1.el8_1.src.rpm
ppc64le:
thunderbird-68.9.0-1.el8_1.ppc64le.rpm
thunderbird-debuginfo-68.9.0-1.el8_1.ppc64le.rpm
thunderbird-debugsource-68.9.0-1.el8_1.ppc64le.rpm
x86_64:
thunderbird-68.9.0-1.el8_1.x86_64.rpm
thunderbird-debuginfo-68.9.0-1.el8_1.x86_64.rpm
thunderbird-debugsource-68.9.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12398
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXuwbd9zjgjWX9erEAQhP1A/8CHLPRpcTFYiiZEKE/G90qMdSZE6irHUW
+V/mAzGoOyLCCaEwcYoLN7QXlyPjn0nYdCXA+UXqJlQGiL0+wr4r9jlIN/rveTdN
p7k/gvBpfJxnNVn4uvzKM26geFiKyz9WHnDA96Ndmwjgh8B8VZtTH89yBhrsqZ9P
7NGDZbkMQupTdNPpBWXOoZsuqP7qZgOy2PD+2uUcZNaSHlH3Z2VdWE9hrIlrpnMM
WHjq0Kp/FBx+QFtgzzSiMkVyiQf7Bxhu0YQwukwjpO4VN1cqyrZVOkHTHgjHbh9x
pMh3EqSU2iObI+saa3Hx3B+EP1uFoVSusbG+wve7k8ie3i8tja2NB4WK4wUeDzxk
j5h9x7jfnnmmMsRJtFIF6/Ic0T8z/URAeeiJZjLS9eH2T03E5raqkBndtT5bZOCQ
96fZeZlrqhN8bR2bl0MXN5+vUJLuMPJsHx8k3MIUmg5H49uyvTa4hz9KxIBtaByD
Tz3M/SvczoB4Zve+JzJoS6/T/i+MtlZIdErVKzjMAFNdzjR7dZZQoQK69MQzoyYB
GtKCTUmIolGF5vEfRmagmGQy0tST9bt2m3wIZhF1HeeHD60nzUP1mzYKTWQo8+Vf
snWA2GMFrdoh7BVO4Rj/9Pet9ACVHl0WHaTH1H2/xvHzMkuXzy19sPvrquZgGYK5
ps2TEEe20nI=
=x78l
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2020:2616-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2616
Issue date: 2020-06-18
CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406
CVE-2020-12410
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 68.9.0.
Security Fix(es):
* Mozilla: Security downgrade with IMAP STARTTLS leads to information
leakage (CVE-2020-12398)
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage
6. Package List:
Red Hat Enterprise Linux AppStream E4S (v. 8.0):
Source:
thunderbird-68.9.0-1.el8_0.src.rpm
ppc64le:
thunderbird-68.9.0-1.el8_0.ppc64le.rpm
thunderbird-debuginfo-68.9.0-1.el8_0.ppc64le.rpm
thunderbird-debugsource-68.9.0-1.el8_0.ppc64le.rpm
x86_64:
thunderbird-68.9.0-1.el8_0.x86_64.rpm
thunderbird-debuginfo-68.9.0-1.el8_0.x86_64.rpm
thunderbird-debugsource-68.9.0-1.el8_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12398
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXuwbktzjgjWX9erEAQgpEg/+PLD8jxyS69SXSGiFoxwOg3n/Dx85EEFf
m0zHFzgwhE3cIjTFEvBVBGUs53SXQwkBys4Y8dJPiVhJGcq9iZ8b7EzOpeSgZI9S
9uTJQN7dbyGGqVvLRW+zXPy1gtcerrjVLGuYqbytdPZTKL8iYBVDJvHlFIU9LVMx
siFhcRqkQ+uB1p/ux3xmNBjr2OsZnHTmPPlk/bT+K4J8sWXteVYFRqhmLWTULfgL
IyhNZ/h7pWmPhr5GjCfc2BkiyrHgaCq5L+obtBD7DrSkZMSOgWdF1sFwOTbfeQde
7pAMC79EHWR0sDuowu71iDHND6KX+aGxyPcFbCk16jgQxA0cHN1HFmaUZmdfFVh1
6/3CcNDIh9RTB7cCYXEVvsCy+Uqel1nEE0Lye8Uo8SY0Yn7AHz925ZjC/cL1Suhl
XqmDgoOfKdGJTBOTtccqA9rtiARqqHMWpBQX9Ky6hOCqxb+FPjOd0LG07aG8EZS3
WMMHSh/5s7Qb3+X1GCOHXX1+UDDJUUTrDIOiqwsEoo/iRX5INHsr1nRbtI6adYZ+
vMYShoGHqM50YFwNCww4RAM+7nI3CEQNmbppoMGGg+4VMxy9zVI5FGL2XcOmIX4W
bStG+q8uCSMbJwXVhtSgyOjUjj9Bhf1vetUCyqYthBtnLMTVIa5H9Y4tQ3v6i6/a
7F/6zzGFp60=
=Je7F
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2020:2613-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2613
Issue date: 2020-06-18
CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406
CVE-2020-12410
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 68.9.0.
Security Fix(es):
* Mozilla: Security downgrade with IMAP STARTTLS leads to information
leakage (CVE-2020-12398)
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
thunderbird-68.9.0-1.el6_10.src.rpm
i386:
thunderbird-68.9.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm
x86_64:
thunderbird-68.9.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
thunderbird-68.9.0-1.el6_10.src.rpm
i386:
thunderbird-68.9.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm
ppc64:
thunderbird-68.9.0-1.el6_10.ppc64.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.ppc64.rpm
s390x:
thunderbird-68.9.0-1.el6_10.s390x.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.s390x.rpm
x86_64:
thunderbird-68.9.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
thunderbird-68.9.0-1.el6_10.src.rpm
i386:
thunderbird-68.9.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm
x86_64:
thunderbird-68.9.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12398
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXuwsXtzjgjWX9erEAQhIHA/8CsCL2H35XvgN7rsooJeXunE/vD1NCDul
5nP+PhNSOUU5I9/nHOqjJ/S8xa5ETK8lTK06aGZPQGIBb4SFpxGahahbaXJXp5JO
Va4vlemzqy3p38sFOY+bqlBjIOpyJZ3+SY8Pm971Fd13QR/oJer9xcH4fb7+7Mcu
hpiWmKyQyNOPXJiTk/SAY64OZney9vfLEFYzHhFEYb4SJe4aSCbOch4BhTboXptJ
AymbygTSLsEx4t4SsahCWnBU0P18NJl744MOrkUFZ8dOWvUVDuRo4Y5DwbZ1Yy+b
l1Lz6qJORRxnbPqYmX+Fb1XZ4DrgJuHuSeXYV06QDXLvL7RcDfXo+q1OJzNazh4M
d5Dt4K6ke1GHcr+s2+Fj+f/S/ZgYBxSpXhkwCUMjcl4lVTCIF4qh/TrHq223ipK6
dQxX0smqbvPWfsAqc6tpQC8T/kFsGbhSIO3TyZL101BhS5K/fzpHbgcPEUzAHb0q
fctr8YCFj3FY5RIrUYLGazfuSNTQezvWa3oxhU/jg6Gs+zi0Ob1I9Yo4n1BTVDQL
7eUwM0TVpXV9X/MH8WkuwNoLa9s/cHnuAkJCdiHy5oRMnBbaVfklLk580n++BaqI
hzFcesZQtBiWgMAruy0uu/z39p8DkGhmRTNI9kxbm3DlSli39fFXQJ3RXTo0iSaI
TRpdV40WdeY=
=3gdA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXuw3LeNLKJtyKPYoAQh+DhAAjdfaMlo+JLsBPHp38yMZGob5Te7AqcBX
dUmB6hh2DpNE1TTlxLpJTqqhdTJtIGoVGCpX5vIC6m0pUJ66bBV07mAxoAJdZLk9
YNXH+yxbC6UlcZJpe2RTlED4UNnMaNxxfgQ7g+0h5/3dqiRSA499kFDTiJmZyny1
kjJlaAwEZX1lH1lVfhUQ7UdJQqtALa/32GOPDXySUFSVRg2hhOAMOOgdhPzv5gca
9lHykLcrqaca3G7GWKlLpOihRHcplM/hAFmx9eJQKFfFlJ+MQ2io8wPfogApqGTh
ONUQSiCqqIrwatiaoEQsCHB3BbUoyFGbQxaoVAkzlALe0X/YWhsKso6EDMbNSGg3
5+UQParjdfj0trSBE6fYpzDTF3UH6knIBDVaqCx3otDR6/MU1yZMP0rDhLo6KB8J
k7704eMQTVQ+4LAQKCVNSkpeznuIdAz6Nn9EoVzhOpSJ3lu9x4El1vbb7cIhJ4js
wk9zbU/swtPpl12jurCOaKkdJzXJzo9G6aFIB56y5ZFH4UPZ+WIbVrUT5qyRNGgF
ejYsmmQ5AYMlDAFKu6YGxRb2vDtR3mcKLk5Mvirrlh+8QrylPiZo0j1q0Ybj+xOc
18hMpUjFK+vI0fQHF/179gzov+yM2aFplAeDjMsIxk0F4SLOnGUEHDMBQTbbw4ll
ED/X1+2rYVc=
=C8uQ
-----END PGP SIGNATURE-----