-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3056
                        thunderbird security update
                             8 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           thunderbird
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15669 CVE-2020-15664 

Reference:         ESB-2020.3053
                   ESB-2020.2987
                   ESB-2020.2980
                   ESB-2020.2956.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3631
   https://access.redhat.com/errata/RHSA-2020:3632
   https://access.redhat.com/errata/RHSA-2020:3633
   https://access.redhat.com/errata/RHSA-2020:3634

Comment: This bulletin contains four (4) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2020:3631-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3631
Issue date:        2020-09-07
CVE Names:         CVE-2020-15664 CVE-2020-15669 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.12.0.

Security Fix(es):

* Mozilla: Attacker-induced prompt for extension installation
(CVE-2020-15664)

* Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation
1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
thunderbird-68.12.0-1.el7_8.src.rpm

x86_64:
thunderbird-68.12.0-1.el7_8.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
thunderbird-68.12.0-1.el7_8.src.rpm

ppc64le:
thunderbird-68.12.0-1.el7_8.ppc64le.rpm
thunderbird-debuginfo-68.12.0-1.el7_8.ppc64le.rpm

x86_64:
thunderbird-68.12.0-1.el7_8.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
thunderbird-68.12.0-1.el7_8.src.rpm

x86_64:
thunderbird-68.12.0-1.el7_8.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15664
https://access.redhat.com/security/cve/CVE-2020-15669
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX1Xr2tzjgjWX9erEAQjdEBAAl9skbALP8YYdJ7K0UvUF6v9nQvMjotJu
awpFuWvfNxJnYqe/6v/dxS5VFw9KI5DCsR5zhOyrpGM2FeLM8U1Whbgq5IUWycKD
cKnVkrw40n6i6hAECJ7CLRDdM3lTreJf0IcF4VskiIVq5FOUUS+Wd9adwZO89K9k
6PQU1A5ylhGJMBIJlleKtdpVeIK4GjJT1noWoHWUZOiz51ka5F3y0IzOdwKzbRTz
YyP9HFmwplgi8f4RE0jwHakEQlRmgT7xSN1AnqOUGBBnpbLpGsIq9WsBFZCET/f8
WYghMjFKiTsCUNPzvc+KgKlNMJNCZPZM1zCVzGhMjT8AHYHNlQ4nOqx7wLS/LUOM
pwOt4XUjBHcp5ZDVKMOpMtgf6pdt5chLwLI50FDHRc0fKPgn1siIDGcAsRdS1UM7
JKhzUlCTx3D9gtwbl4TPjiP3CNOQBycU9XpiQ1HDK7qXbRi3NO3xrxGIOvoEwTPV
6cwl8UMC+kOIy9QOlRGlc+1rFDuEiifBjcd3w2XpC3y8N+VBdveiyy6gwCAWvxWK
trAZVrQ/d64YIBp63vH4YYxnQWwY7uV9bUf+I3hFSFcdkVAlOG/fNq3z3K6nCAok
AKDZlRCFjqHPY8vKxfLI37d54gQe0cEm8kHXAiFxq10tH5qf9ztl14/97881DtJP
MtNURL0WB2s=
=GRVJ
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2020:3632-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3632
Issue date:        2020-09-07
CVE Names:         CVE-2020-15664 CVE-2020-15669 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.12.0.

Security Fix(es):

* Mozilla: Attacker-induced prompt for extension installation
(CVE-2020-15664)

* Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation
1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
thunderbird-68.12.0-1.el8_1.src.rpm

ppc64le:
thunderbird-68.12.0-1.el8_1.ppc64le.rpm
thunderbird-debuginfo-68.12.0-1.el8_1.ppc64le.rpm
thunderbird-debugsource-68.12.0-1.el8_1.ppc64le.rpm

x86_64:
thunderbird-68.12.0-1.el8_1.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el8_1.x86_64.rpm
thunderbird-debugsource-68.12.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15664
https://access.redhat.com/security/cve/CVE-2020-15669
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX1XuqtzjgjWX9erEAQjPfw/9HhQYjuuZxSosfUcvBYhEZ+2PKxCK7R7A
Lqis8L9joV9xqih79QHZrRS6ApdS24V88nvNwPIG3f4drOVA0f47jMH1N/1RyZIC
D6a4zyQMlP+JutLeNiEIwWdrkFh/V0i117Jbf8gLnrWhDBgpmRbVe7sAsS6np8VH
R9FTkuaWNbzLi3YI4y82jJJTP61pVHv5+ggA7C44oxj4mPllyTM0+4LB9RDSf6jY
I5YvOiSFNslcmtvSpK6WFKcMFZEBzKKGR4seiNzOIe+ptDav6Kr0A52D0/yJshnj
TprgcpakWD6WYnTluRdulGo7KH7cAsuxQEA/OS7FTXHj/YIvZSaU2WN/Op8hIJXh
PFWtrqKEECOou2T1oVYako46Lbyt+YIzEfbB8qRK0j18ph95gjuNUo65v5XIySUx
Cek35zFIY9jHtHS0b7qEVYSM1/i+Uo7xJTic3xgXZjg/ik9OeRE6awCoHeijTknN
Cms+69Valh4w27a4x0kWttehXOHGTQrI3SQQSo4tIXtNlybvwd/CGMX3M5rAt415
Hvt3V03v2rFsqlzZyiBv/ouOY9o5EbdREh0PkFloZEfWAJknE7bXoT3lnge//eVZ
mJBLiTPy7iMJf51R03WF5DFEpny5JdPCpiL5Xmed2sSGdU+GEAN4FYfB6fhYj3nz
M0aFb5LfQbY=
=4HCZ
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2020:3633-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3633
Issue date:        2020-09-07
CVE Names:         CVE-2020-15664 CVE-2020-15669 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.12.0.

Security Fix(es):

* Mozilla: Attacker-induced prompt for extension installation
(CVE-2020-15664)

* Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation
1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.0):

Source:
thunderbird-68.12.0-1.el8_0.src.rpm

ppc64le:
thunderbird-68.12.0-1.el8_0.ppc64le.rpm
thunderbird-debuginfo-68.12.0-1.el8_0.ppc64le.rpm
thunderbird-debugsource-68.12.0-1.el8_0.ppc64le.rpm

x86_64:
thunderbird-68.12.0-1.el8_0.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el8_0.x86_64.rpm
thunderbird-debugsource-68.12.0-1.el8_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15664
https://access.redhat.com/security/cve/CVE-2020-15669
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX1XtftzjgjWX9erEAQjsug/6AigFjjpwGrArnaVdo9uzbhWRBbhcNIBa
y48HBVChBG8eIfss9Clhn7j370dyxrlg5Viz/wF65jem/AK8pQVDCOaLyqaiFOtV
h3KfGMOkzq1culjbH7SkFt1rxKBv6r2DvP4nmEwZ4DMRSyy4enmj2PJZCIVR3MVw
GYQOSgiSuXwIK/CiJKGjDb8m5Ss5YJBHtDHU5FjySZtDc9IUIesn+bYrg8GbGL6s
R81LPorRUpjmSX02iGEFe3TSvIiN2LACqxA6QQ1Xflp/8RSS8Q/mAnc20vB4khc1
a/QXi0dNETUG8D5aXNUfahqNj10f6MXWM/l08uj0c4DtkWvWA1qLE7Jtb503kLUK
GuLLyADrOsOSxXHMAwvjZe2BHx5gpbJk0lBW4azZrZ0YqL79vIjFk8JQy0th+74x
P7Ytjc/1gjQlqj9ftYEFDuQElZifm/8wQ/mtz77oqgP052SDi9bJTcBHqzNAHM3V
AhKW4qGTpO+WVobsUdQYDU4UTgPX3a9PwJfpBkhNRC6iNbBC8RG0DFAwv1e+FiPS
INcsuwB0WmSt2XgWftWKIxRoU7MCJdNHIq8TxIRVfjy+O+E7GAj4QxkjBbZhXTtN
u8IdvlJ5NZlE1+xKBsxRCa3hhks913iH9Z0JICtMw96oYoQ72mY2N8EbI2IlXJ7K
O17Vt5zhPuA=
=bGN6
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2020:3634-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3634
Issue date:        2020-09-07
CVE Names:         CVE-2020-15664 CVE-2020-15669 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.12.0.

Security Fix(es):

* Mozilla: Attacker-induced prompt for extension installation
(CVE-2020-15664)

* Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation
1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
thunderbird-68.12.0-1.el8_2.src.rpm

aarch64:
thunderbird-68.12.0-1.el8_2.aarch64.rpm
thunderbird-debuginfo-68.12.0-1.el8_2.aarch64.rpm
thunderbird-debugsource-68.12.0-1.el8_2.aarch64.rpm

ppc64le:
thunderbird-68.12.0-1.el8_2.ppc64le.rpm
thunderbird-debuginfo-68.12.0-1.el8_2.ppc64le.rpm
thunderbird-debugsource-68.12.0-1.el8_2.ppc64le.rpm

x86_64:
thunderbird-68.12.0-1.el8_2.x86_64.rpm
thunderbird-debuginfo-68.12.0-1.el8_2.x86_64.rpm
thunderbird-debugsource-68.12.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15664
https://access.redhat.com/security/cve/CVE-2020-15669
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX1XvmtzjgjWX9erEAQhPcw/9Gv9Hp+LKKtojIi99auQKwvmlvqD9ERWy
nEXuXmz+KH5tF1R2Ni8rzZrSGrvv6fUQWpovndMPiv7M050ilDqHqIZ0rz/paH6D
XsWtSviTMY36b30PH0ZsskRDH9FLLzeyznNaNQz9/PMWb18gLfOPx0ursSxod1be
H6SUKInXassdFmQg5z0MvlnrPDuxy0/TsllDU4QeQdXnW+HvUrFM+P+wAebtxkaV
JmIQFMoUqMM46COhop52vlHnoxdXL2VYXS0ZDUztknT04qQc+0JTAvoo2yd+4NdE
Yd8ocGiXZxo5JN9M5AA2lDGHUnt6L8VQqpvSEVCAIRfXBXP+7o1JO1Rs992MspEw
JJmGUdKQIKQ1PPvbaC9787B7bHQbr11757/SyPokVN/7dKTGO7jfFbectmqijDxW
93uMF46WQmPJLhU/TxUZvvxnank/E9fJ127+rOO0pgQ5q1PJfF48t4YUFJqluuqV
6Uv/4U7IGkoXrrLI/P9z2t/KMsPhW+uLnt6chdL052yj0ad0Zie6rVRPz1ww6YTP
qO/cfE6645C8rj5fFws6gAnJeZdU7910RSW2vQ7dkJfXENeESJwk4c/4CKfkzPI3
p4X9zuD+CQsl94olKcwGcqfqi8DOVGAW1Us3pOhgbSjDc0R9G0irGeUGc4OetU24
t0IFhpWe7jA=
=gyFF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX1bvMeNLKJtyKPYoAQgzexAAmHgFTpYlxKqnkiVoACQQvD8fCeRA0SJT
6fWcZONJJqrxiRzJxZ5hNseat2wHHrBHnSzI2AB4iYpSFoBhH6BSV52xZXR7BqNc
unVv4hiSVnp8hvlceWLKHAfnCih4IbFC6DzkBE/IsKrxh/wFoR9hLVBkjrZlVfyI
kR0iX53gYEyJfWUJTXWrhcwALSAIVO9cNXo8ergxMjZZLvaL5z3AytXXoZ97oODj
9GouGJcy3I8JI0BpmncTmZquX4x/c0b3FazbUvAg09p8U0oXihHvvqOeZgbpo/af
4nOrsK+zCh8sXKloXL08inaiR5DAiJwZAXWaJ32gTgLc1Mi/sV0Q88LOiZRHUNqB
RK6zzeTgoa0rV6cF6uUbfpJGK/TvhrIa6LtAFdPsbPxV/3bo2+o2Swqq1Omfz5yh
dLKHvqUQ5MCKzAIILls8y94IOMzJyu/mknbTiMcjKzJ+ngroCT3+D7a14R5Pgom+
mvYh48i4+ZS9UeGh2Laq7SYaSZ8l/wzyckzJQj/Qbkvr9uw7nvyM5b8OMgUgd56Q
8i4kwpa4T+y3S4rtZQeIA2Ux8l3rpV+4C7Vdb+o4QsRJz5EqffanLATjxycEyGfN
gppC84SHrYcYKiv/sHXmJnFbd4j0dJtf9e9vSekUv7is0XDK2q9kNz4TJJ1FzeiE
Ju+ABLecYVs=
=yO4+
-----END PGP SIGNATURE-----