Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2137 thunderbird security update 19 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-12410 CVE-2020-12406 CVE-2020-12405 CVE-2020-12398 Reference: ESB-2020.2058 ESB-2020.2049 ESB-2020.2000 ESB-2020.1970 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2611 https://access.redhat.com/errata/RHSA-2020:2616 https://access.redhat.com/errata/RHSA-2020:2613 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:2611-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2611 Issue date: 2020-06-18 CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.9.0. Security Fix(es): * Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage (CVE-2020-12398) * Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405) * Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406) * Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 (CVE-2020-12410) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes 1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService 1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: thunderbird-68.9.0-1.el8_1.src.rpm ppc64le: thunderbird-68.9.0-1.el8_1.ppc64le.rpm thunderbird-debuginfo-68.9.0-1.el8_1.ppc64le.rpm thunderbird-debugsource-68.9.0-1.el8_1.ppc64le.rpm x86_64: thunderbird-68.9.0-1.el8_1.x86_64.rpm thunderbird-debuginfo-68.9.0-1.el8_1.x86_64.rpm thunderbird-debugsource-68.9.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-12398 https://access.redhat.com/security/cve/CVE-2020-12405 https://access.redhat.com/security/cve/CVE-2020-12406 https://access.redhat.com/security/cve/CVE-2020-12410 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuwbd9zjgjWX9erEAQhP1A/8CHLPRpcTFYiiZEKE/G90qMdSZE6irHUW +V/mAzGoOyLCCaEwcYoLN7QXlyPjn0nYdCXA+UXqJlQGiL0+wr4r9jlIN/rveTdN p7k/gvBpfJxnNVn4uvzKM26geFiKyz9WHnDA96Ndmwjgh8B8VZtTH89yBhrsqZ9P 7NGDZbkMQupTdNPpBWXOoZsuqP7qZgOy2PD+2uUcZNaSHlH3Z2VdWE9hrIlrpnMM WHjq0Kp/FBx+QFtgzzSiMkVyiQf7Bxhu0YQwukwjpO4VN1cqyrZVOkHTHgjHbh9x pMh3EqSU2iObI+saa3Hx3B+EP1uFoVSusbG+wve7k8ie3i8tja2NB4WK4wUeDzxk j5h9x7jfnnmmMsRJtFIF6/Ic0T8z/URAeeiJZjLS9eH2T03E5raqkBndtT5bZOCQ 96fZeZlrqhN8bR2bl0MXN5+vUJLuMPJsHx8k3MIUmg5H49uyvTa4hz9KxIBtaByD Tz3M/SvczoB4Zve+JzJoS6/T/i+MtlZIdErVKzjMAFNdzjR7dZZQoQK69MQzoyYB GtKCTUmIolGF5vEfRmagmGQy0tST9bt2m3wIZhF1HeeHD60nzUP1mzYKTWQo8+Vf snWA2GMFrdoh7BVO4Rj/9Pet9ACVHl0WHaTH1H2/xvHzMkuXzy19sPvrquZgGYK5 ps2TEEe20nI= =x78l - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:2616-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2616 Issue date: 2020-06-18 CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.9.0. Security Fix(es): * Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage (CVE-2020-12398) * Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405) * Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406) * Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 (CVE-2020-12410) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes 1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService 1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: thunderbird-68.9.0-1.el8_0.src.rpm ppc64le: thunderbird-68.9.0-1.el8_0.ppc64le.rpm thunderbird-debuginfo-68.9.0-1.el8_0.ppc64le.rpm thunderbird-debugsource-68.9.0-1.el8_0.ppc64le.rpm x86_64: thunderbird-68.9.0-1.el8_0.x86_64.rpm thunderbird-debuginfo-68.9.0-1.el8_0.x86_64.rpm thunderbird-debugsource-68.9.0-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-12398 https://access.redhat.com/security/cve/CVE-2020-12405 https://access.redhat.com/security/cve/CVE-2020-12406 https://access.redhat.com/security/cve/CVE-2020-12410 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuwbktzjgjWX9erEAQgpEg/+PLD8jxyS69SXSGiFoxwOg3n/Dx85EEFf m0zHFzgwhE3cIjTFEvBVBGUs53SXQwkBys4Y8dJPiVhJGcq9iZ8b7EzOpeSgZI9S 9uTJQN7dbyGGqVvLRW+zXPy1gtcerrjVLGuYqbytdPZTKL8iYBVDJvHlFIU9LVMx siFhcRqkQ+uB1p/ux3xmNBjr2OsZnHTmPPlk/bT+K4J8sWXteVYFRqhmLWTULfgL IyhNZ/h7pWmPhr5GjCfc2BkiyrHgaCq5L+obtBD7DrSkZMSOgWdF1sFwOTbfeQde 7pAMC79EHWR0sDuowu71iDHND6KX+aGxyPcFbCk16jgQxA0cHN1HFmaUZmdfFVh1 6/3CcNDIh9RTB7cCYXEVvsCy+Uqel1nEE0Lye8Uo8SY0Yn7AHz925ZjC/cL1Suhl XqmDgoOfKdGJTBOTtccqA9rtiARqqHMWpBQX9Ky6hOCqxb+FPjOd0LG07aG8EZS3 WMMHSh/5s7Qb3+X1GCOHXX1+UDDJUUTrDIOiqwsEoo/iRX5INHsr1nRbtI6adYZ+ vMYShoGHqM50YFwNCww4RAM+7nI3CEQNmbppoMGGg+4VMxy9zVI5FGL2XcOmIX4W bStG+q8uCSMbJwXVhtSgyOjUjj9Bhf1vetUCyqYthBtnLMTVIa5H9Y4tQ3v6i6/a 7F/6zzGFp60= =Je7F - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:2613-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2613 Issue date: 2020-06-18 CVE Names: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.9.0. Security Fix(es): * Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage (CVE-2020-12398) * Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405) * Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406) * Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 (CVE-2020-12410) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9 1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes 1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService 1846556 - CVE-2020-12398 Mozilla: Security downgrade with IMAP STARTTLS leads to information leakage 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-68.9.0-1.el6_10.src.rpm i386: thunderbird-68.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm x86_64: thunderbird-68.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-68.9.0-1.el6_10.src.rpm i386: thunderbird-68.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm ppc64: thunderbird-68.9.0-1.el6_10.ppc64.rpm thunderbird-debuginfo-68.9.0-1.el6_10.ppc64.rpm s390x: thunderbird-68.9.0-1.el6_10.s390x.rpm thunderbird-debuginfo-68.9.0-1.el6_10.s390x.rpm x86_64: thunderbird-68.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-68.9.0-1.el6_10.src.rpm i386: thunderbird-68.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-68.9.0-1.el6_10.i686.rpm x86_64: thunderbird-68.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-68.9.0-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-12398 https://access.redhat.com/security/cve/CVE-2020-12405 https://access.redhat.com/security/cve/CVE-2020-12406 https://access.redhat.com/security/cve/CVE-2020-12410 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuwsXtzjgjWX9erEAQhIHA/8CsCL2H35XvgN7rsooJeXunE/vD1NCDul 5nP+PhNSOUU5I9/nHOqjJ/S8xa5ETK8lTK06aGZPQGIBb4SFpxGahahbaXJXp5JO Va4vlemzqy3p38sFOY+bqlBjIOpyJZ3+SY8Pm971Fd13QR/oJer9xcH4fb7+7Mcu hpiWmKyQyNOPXJiTk/SAY64OZney9vfLEFYzHhFEYb4SJe4aSCbOch4BhTboXptJ AymbygTSLsEx4t4SsahCWnBU0P18NJl744MOrkUFZ8dOWvUVDuRo4Y5DwbZ1Yy+b l1Lz6qJORRxnbPqYmX+Fb1XZ4DrgJuHuSeXYV06QDXLvL7RcDfXo+q1OJzNazh4M d5Dt4K6ke1GHcr+s2+Fj+f/S/ZgYBxSpXhkwCUMjcl4lVTCIF4qh/TrHq223ipK6 dQxX0smqbvPWfsAqc6tpQC8T/kFsGbhSIO3TyZL101BhS5K/fzpHbgcPEUzAHb0q fctr8YCFj3FY5RIrUYLGazfuSNTQezvWa3oxhU/jg6Gs+zi0Ob1I9Yo4n1BTVDQL 7eUwM0TVpXV9X/MH8WkuwNoLa9s/cHnuAkJCdiHy5oRMnBbaVfklLk580n++BaqI hzFcesZQtBiWgMAruy0uu/z39p8DkGhmRTNI9kxbm3DlSli39fFXQJ3RXTo0iSaI TRpdV40WdeY= =3gdA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuw3LeNLKJtyKPYoAQh+DhAAjdfaMlo+JLsBPHp38yMZGob5Te7AqcBX dUmB6hh2DpNE1TTlxLpJTqqhdTJtIGoVGCpX5vIC6m0pUJ66bBV07mAxoAJdZLk9 YNXH+yxbC6UlcZJpe2RTlED4UNnMaNxxfgQ7g+0h5/3dqiRSA499kFDTiJmZyny1 kjJlaAwEZX1lH1lVfhUQ7UdJQqtALa/32GOPDXySUFSVRg2hhOAMOOgdhPzv5gca 9lHykLcrqaca3G7GWKlLpOihRHcplM/hAFmx9eJQKFfFlJ+MQ2io8wPfogApqGTh ONUQSiCqqIrwatiaoEQsCHB3BbUoyFGbQxaoVAkzlALe0X/YWhsKso6EDMbNSGg3 5+UQParjdfj0trSBE6fYpzDTF3UH6knIBDVaqCx3otDR6/MU1yZMP0rDhLo6KB8J k7704eMQTVQ+4LAQKCVNSkpeznuIdAz6Nn9EoVzhOpSJ3lu9x4El1vbb7cIhJ4js wk9zbU/swtPpl12jurCOaKkdJzXJzo9G6aFIB56y5ZFH4UPZ+WIbVrUT5qyRNGgF ejYsmmQ5AYMlDAFKu6YGxRb2vDtR3mcKLk5Mvirrlh+8QrylPiZo0j1q0Ybj+xOc 18hMpUjFK+vI0fQHF/179gzov+yM2aFplAeDjMsIxk0F4SLOnGUEHDMBQTbbw4ll ED/X1+2rYVc= =C8uQ -----END PGP SIGNATURE-----