Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3056 thunderbird security update 8 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-15669 CVE-2020-15664 Reference: ESB-2020.3053 ESB-2020.2987 ESB-2020.2980 ESB-2020.2956.2 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3631 https://access.redhat.com/errata/RHSA-2020:3632 https://access.redhat.com/errata/RHSA-2020:3633 https://access.redhat.com/errata/RHSA-2020:3634 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:3631-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3631 Issue date: 2020-09-07 CVE Names: CVE-2020-15664 CVE-2020-15669 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.12.0. Security Fix(es): * Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664) * Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation 1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-68.12.0-1.el7_8.src.rpm x86_64: thunderbird-68.12.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-68.12.0-1.el7_8.src.rpm ppc64le: thunderbird-68.12.0-1.el7_8.ppc64le.rpm thunderbird-debuginfo-68.12.0-1.el7_8.ppc64le.rpm x86_64: thunderbird-68.12.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-68.12.0-1.el7_8.src.rpm x86_64: thunderbird-68.12.0-1.el7_8.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el7_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15664 https://access.redhat.com/security/cve/CVE-2020-15669 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX1Xr2tzjgjWX9erEAQjdEBAAl9skbALP8YYdJ7K0UvUF6v9nQvMjotJu awpFuWvfNxJnYqe/6v/dxS5VFw9KI5DCsR5zhOyrpGM2FeLM8U1Whbgq5IUWycKD cKnVkrw40n6i6hAECJ7CLRDdM3lTreJf0IcF4VskiIVq5FOUUS+Wd9adwZO89K9k 6PQU1A5ylhGJMBIJlleKtdpVeIK4GjJT1noWoHWUZOiz51ka5F3y0IzOdwKzbRTz YyP9HFmwplgi8f4RE0jwHakEQlRmgT7xSN1AnqOUGBBnpbLpGsIq9WsBFZCET/f8 WYghMjFKiTsCUNPzvc+KgKlNMJNCZPZM1zCVzGhMjT8AHYHNlQ4nOqx7wLS/LUOM pwOt4XUjBHcp5ZDVKMOpMtgf6pdt5chLwLI50FDHRc0fKPgn1siIDGcAsRdS1UM7 JKhzUlCTx3D9gtwbl4TPjiP3CNOQBycU9XpiQ1HDK7qXbRi3NO3xrxGIOvoEwTPV 6cwl8UMC+kOIy9QOlRGlc+1rFDuEiifBjcd3w2XpC3y8N+VBdveiyy6gwCAWvxWK trAZVrQ/d64YIBp63vH4YYxnQWwY7uV9bUf+I3hFSFcdkVAlOG/fNq3z3K6nCAok AKDZlRCFjqHPY8vKxfLI37d54gQe0cEm8kHXAiFxq10tH5qf9ztl14/97881DtJP MtNURL0WB2s= =GRVJ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:3632-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3632 Issue date: 2020-09-07 CVE Names: CVE-2020-15664 CVE-2020-15669 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.12.0. Security Fix(es): * Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664) * Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation 1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: thunderbird-68.12.0-1.el8_1.src.rpm ppc64le: thunderbird-68.12.0-1.el8_1.ppc64le.rpm thunderbird-debuginfo-68.12.0-1.el8_1.ppc64le.rpm thunderbird-debugsource-68.12.0-1.el8_1.ppc64le.rpm x86_64: thunderbird-68.12.0-1.el8_1.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el8_1.x86_64.rpm thunderbird-debugsource-68.12.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15664 https://access.redhat.com/security/cve/CVE-2020-15669 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX1XuqtzjgjWX9erEAQjPfw/9HhQYjuuZxSosfUcvBYhEZ+2PKxCK7R7A Lqis8L9joV9xqih79QHZrRS6ApdS24V88nvNwPIG3f4drOVA0f47jMH1N/1RyZIC D6a4zyQMlP+JutLeNiEIwWdrkFh/V0i117Jbf8gLnrWhDBgpmRbVe7sAsS6np8VH R9FTkuaWNbzLi3YI4y82jJJTP61pVHv5+ggA7C44oxj4mPllyTM0+4LB9RDSf6jY I5YvOiSFNslcmtvSpK6WFKcMFZEBzKKGR4seiNzOIe+ptDav6Kr0A52D0/yJshnj TprgcpakWD6WYnTluRdulGo7KH7cAsuxQEA/OS7FTXHj/YIvZSaU2WN/Op8hIJXh PFWtrqKEECOou2T1oVYako46Lbyt+YIzEfbB8qRK0j18ph95gjuNUo65v5XIySUx Cek35zFIY9jHtHS0b7qEVYSM1/i+Uo7xJTic3xgXZjg/ik9OeRE6awCoHeijTknN Cms+69Valh4w27a4x0kWttehXOHGTQrI3SQQSo4tIXtNlybvwd/CGMX3M5rAt415 Hvt3V03v2rFsqlzZyiBv/ouOY9o5EbdREh0PkFloZEfWAJknE7bXoT3lnge//eVZ mJBLiTPy7iMJf51R03WF5DFEpny5JdPCpiL5Xmed2sSGdU+GEAN4FYfB6fhYj3nz M0aFb5LfQbY= =4HCZ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:3633-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3633 Issue date: 2020-09-07 CVE Names: CVE-2020-15664 CVE-2020-15669 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.12.0. Security Fix(es): * Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664) * Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation 1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: thunderbird-68.12.0-1.el8_0.src.rpm ppc64le: thunderbird-68.12.0-1.el8_0.ppc64le.rpm thunderbird-debuginfo-68.12.0-1.el8_0.ppc64le.rpm thunderbird-debugsource-68.12.0-1.el8_0.ppc64le.rpm x86_64: thunderbird-68.12.0-1.el8_0.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el8_0.x86_64.rpm thunderbird-debugsource-68.12.0-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15664 https://access.redhat.com/security/cve/CVE-2020-15669 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX1XtftzjgjWX9erEAQjsug/6AigFjjpwGrArnaVdo9uzbhWRBbhcNIBa y48HBVChBG8eIfss9Clhn7j370dyxrlg5Viz/wF65jem/AK8pQVDCOaLyqaiFOtV h3KfGMOkzq1culjbH7SkFt1rxKBv6r2DvP4nmEwZ4DMRSyy4enmj2PJZCIVR3MVw GYQOSgiSuXwIK/CiJKGjDb8m5Ss5YJBHtDHU5FjySZtDc9IUIesn+bYrg8GbGL6s R81LPorRUpjmSX02iGEFe3TSvIiN2LACqxA6QQ1Xflp/8RSS8Q/mAnc20vB4khc1 a/QXi0dNETUG8D5aXNUfahqNj10f6MXWM/l08uj0c4DtkWvWA1qLE7Jtb503kLUK GuLLyADrOsOSxXHMAwvjZe2BHx5gpbJk0lBW4azZrZ0YqL79vIjFk8JQy0th+74x P7Ytjc/1gjQlqj9ftYEFDuQElZifm/8wQ/mtz77oqgP052SDi9bJTcBHqzNAHM3V AhKW4qGTpO+WVobsUdQYDU4UTgPX3a9PwJfpBkhNRC6iNbBC8RG0DFAwv1e+FiPS INcsuwB0WmSt2XgWftWKIxRoU7MCJdNHIq8TxIRVfjy+O+E7GAj4QxkjBbZhXTtN u8IdvlJ5NZlE1+xKBsxRCa3hhks913iH9Z0JICtMw96oYoQ72mY2N8EbI2IlXJ7K O17Vt5zhPuA= =bGN6 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:3634-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3634 Issue date: 2020-09-07 CVE Names: CVE-2020-15664 CVE-2020-15669 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.12.0. Security Fix(es): * Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664) * Mozilla: Use-After-Free when aborting an operation (CVE-2020-15669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872531 - CVE-2020-15664 Mozilla: Attacker-induced prompt for extension installation 1872532 - CVE-2020-15669 Mozilla: Use-After-Free when aborting an operation 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: thunderbird-68.12.0-1.el8_2.src.rpm aarch64: thunderbird-68.12.0-1.el8_2.aarch64.rpm thunderbird-debuginfo-68.12.0-1.el8_2.aarch64.rpm thunderbird-debugsource-68.12.0-1.el8_2.aarch64.rpm ppc64le: thunderbird-68.12.0-1.el8_2.ppc64le.rpm thunderbird-debuginfo-68.12.0-1.el8_2.ppc64le.rpm thunderbird-debugsource-68.12.0-1.el8_2.ppc64le.rpm x86_64: thunderbird-68.12.0-1.el8_2.x86_64.rpm thunderbird-debuginfo-68.12.0-1.el8_2.x86_64.rpm thunderbird-debugsource-68.12.0-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15664 https://access.redhat.com/security/cve/CVE-2020-15669 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX1XvmtzjgjWX9erEAQhPcw/9Gv9Hp+LKKtojIi99auQKwvmlvqD9ERWy nEXuXmz+KH5tF1R2Ni8rzZrSGrvv6fUQWpovndMPiv7M050ilDqHqIZ0rz/paH6D XsWtSviTMY36b30PH0ZsskRDH9FLLzeyznNaNQz9/PMWb18gLfOPx0ursSxod1be H6SUKInXassdFmQg5z0MvlnrPDuxy0/TsllDU4QeQdXnW+HvUrFM+P+wAebtxkaV JmIQFMoUqMM46COhop52vlHnoxdXL2VYXS0ZDUztknT04qQc+0JTAvoo2yd+4NdE Yd8ocGiXZxo5JN9M5AA2lDGHUnt6L8VQqpvSEVCAIRfXBXP+7o1JO1Rs992MspEw JJmGUdKQIKQ1PPvbaC9787B7bHQbr11757/SyPokVN/7dKTGO7jfFbectmqijDxW 93uMF46WQmPJLhU/TxUZvvxnank/E9fJ127+rOO0pgQ5q1PJfF48t4YUFJqluuqV 6Uv/4U7IGkoXrrLI/P9z2t/KMsPhW+uLnt6chdL052yj0ad0Zie6rVRPz1ww6YTP qO/cfE6645C8rj5fFws6gAnJeZdU7910RSW2vQ7dkJfXENeESJwk4c/4CKfkzPI3 p4X9zuD+CQsl94olKcwGcqfqi8DOVGAW1Us3pOhgbSjDc0R9G0irGeUGc4OetU24 t0IFhpWe7jA= =gyFF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX1bvMeNLKJtyKPYoAQgzexAAmHgFTpYlxKqnkiVoACQQvD8fCeRA0SJT 6fWcZONJJqrxiRzJxZ5hNseat2wHHrBHnSzI2AB4iYpSFoBhH6BSV52xZXR7BqNc unVv4hiSVnp8hvlceWLKHAfnCih4IbFC6DzkBE/IsKrxh/wFoR9hLVBkjrZlVfyI kR0iX53gYEyJfWUJTXWrhcwALSAIVO9cNXo8ergxMjZZLvaL5z3AytXXoZ97oODj 9GouGJcy3I8JI0BpmncTmZquX4x/c0b3FazbUvAg09p8U0oXihHvvqOeZgbpo/af 4nOrsK+zCh8sXKloXL08inaiR5DAiJwZAXWaJ32gTgLc1Mi/sV0Q88LOiZRHUNqB RK6zzeTgoa0rV6cF6uUbfpJGK/TvhrIa6LtAFdPsbPxV/3bo2+o2Swqq1Omfz5yh dLKHvqUQ5MCKzAIILls8y94IOMzJyu/mknbTiMcjKzJ+ngroCT3+D7a14R5Pgom+ mvYh48i4+ZS9UeGh2Laq7SYaSZ8l/wzyckzJQj/Qbkvr9uw7nvyM5b8OMgUgd56Q 8i4kwpa4T+y3S4rtZQeIA2Ux8l3rpV+4C7Vdb+o4QsRJz5EqffanLATjxycEyGfN gppC84SHrYcYKiv/sHXmJnFbd4j0dJtf9e9vSekUv7is0XDK2q9kNz4TJJ1FzeiE Ju+ABLecYVs= =yO4+ -----END PGP SIGNATURE-----