Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3423 thunderbird security update 2 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-15678 CVE-2020-15677 CVE-2020-15676 CVE-2020-15673 Reference: ESB-2020.3328 ESB-2020.3287 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4155 https://access.redhat.com/errata/RHSA-2020:4156 https://access.redhat.com/errata/RHSA-2020:4157 https://access.redhat.com/errata/RHSA-2020:4158 https://access.redhat.com/errata/RHSA-2020:4163 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:4155-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4155 Issue date: 2020-10-01 CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.3.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Mozilla: Download origin spoofing via redirect (CVE-2020-15677) * Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1881664 - CVE-2020-15677 Mozilla: Download origin spoofing via redirect 1881665 - CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element 1881666 - CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario 1881667 - CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: thunderbird-78.3.1-1.el8_2.src.rpm aarch64: thunderbird-78.3.1-1.el8_2.aarch64.rpm thunderbird-debuginfo-78.3.1-1.el8_2.aarch64.rpm thunderbird-debugsource-78.3.1-1.el8_2.aarch64.rpm ppc64le: thunderbird-78.3.1-1.el8_2.ppc64le.rpm thunderbird-debuginfo-78.3.1-1.el8_2.ppc64le.rpm thunderbird-debugsource-78.3.1-1.el8_2.ppc64le.rpm x86_64: thunderbird-78.3.1-1.el8_2.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el8_2.x86_64.rpm thunderbird-debugsource-78.3.1-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15673 https://access.redhat.com/security/cve/CVE-2020-15676 https://access.redhat.com/security/cve/CVE-2020-15677 https://access.redhat.com/security/cve/CVE-2020-15678 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3XXk9zjgjWX9erEAQhYBg//VMujtBwtXRC10U7hPa4Rm5OXTB1mJMWj Xz0E4mIUJYCAmSCJ1fYLiSy4kAHFB2jIErzYG39X3u9D2ihwSfk8kP9XOdBw8Szs 4NkkCj4TQY32Y37GAOC8W6u/9+36HyUqk03Ab29u+uEfapiDyx6uQml3em2yoouz 1biZu4RqSO8UfeDTw8Vb79mDYrmVU1jwKZhJqKtk3FFQJHX44oA645pMilVDIWnc IQXMbesPZY6aorssXCiP+M3dM/sh5gUv40dxSlga1ZPwfeeyxwYiDmWPE360UbAf N/IQkR68vmVM6GJcLmtKpHmf0WpqIwR3viRDaMyFBNpg9cKacW/WwVj+9lR7HISQ u3670ppvqcLtk4L+VTThainDSTNOhYxukC4XYp3ZZ2akvI7jFmfIjEC/te1woOiK d1lAnyPBDwPpCl04DzmuCChfQhwVNHZh/Lg9u6gs+0tJl6KFZqlQyt388PMBCbq1 6VHSF3JGJkZDER5xz2q9NnlI6RIpT430Ppy1+Pxrf+6+35wmJv7szKqz5eDfD73i X5yDH77MuPg4NrdN2EU9c8XqXtdDSdbFzNnbBoAGf81WreevTvQ7VFx6o4w6I1Il NvMBYA/zQIqPBjwaFlWauSzqrptozTbiPh33c/tm6mEPF67BHJRG0TBLKz5CH69b 0mP0/OnfkTA= =jq2p - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:4156-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4156 Issue date: 2020-10-01 CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.3.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Mozilla: Download origin spoofing via redirect (CVE-2020-15677) * Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1881664 - CVE-2020-15677 Mozilla: Download origin spoofing via redirect 1881665 - CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element 1881666 - CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario 1881667 - CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: thunderbird-78.3.1-1.el8_0.src.rpm ppc64le: thunderbird-78.3.1-1.el8_0.ppc64le.rpm thunderbird-debuginfo-78.3.1-1.el8_0.ppc64le.rpm thunderbird-debugsource-78.3.1-1.el8_0.ppc64le.rpm x86_64: thunderbird-78.3.1-1.el8_0.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el8_0.x86_64.rpm thunderbird-debugsource-78.3.1-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15673 https://access.redhat.com/security/cve/CVE-2020-15676 https://access.redhat.com/security/cve/CVE-2020-15677 https://access.redhat.com/security/cve/CVE-2020-15678 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3XU/tzjgjWX9erEAQhmHQ/+JyeIiRdJHw0YwhSkURwKgXZznH8zyrxl VvVdiglOrk0PAoML2OCrK0wYaU7sn/BGIvtr0VH+o8eag5stGEor3RWdEBKHa1L9 RB3yqNBMyYmP72RVxCEKoBqS3VI6BNk88Ht5yB39xzQ6D4zZOFe2sjxh7piv3Ze8 mw7e8riiPZJUHoCa+dJfigW4tt15WWkr/w02Ejzv9BZPQLXBaFvznPL+2MHgyzsx Qy0e4WmqHel9i5l9MxIJlEP5JWV7CTA58ktCQd/1GXQlIJVtvKsMb4knlZHW72kK dTEkv/EBDcHpiwzdMUKb1TMmgIh9pGvfDoZXUx0f2JYtd5h209GMhQ9gGKtoGFzO ah05ZnbKCg+vCOAJvYXeaKftklRrxbeMlR1ADvoM4Fl+s7SOkFFOA7z5zpIe52gA uLmJFSuQRPYXPPVLkloRItfw3299NJp6szHA83wf6uXy6ARjxRZamN2gOp1KpNTG /2SAvE9knK0i6ZZ5PCweJnqsAikgktpQpeEj48Rfjk21SKp2W94bjwHzk9yIGlbT rJbjgksy027dZdlXf4anz1sEDe+BwOS1ORttNcWvJxkohDvDPvMgmkjWEFaPZhk0 /OBXaAv36h+szQgzj7YL0D0hfnSZyo9FhbFdMNvvYjLBVHuyqfAV0xv45FyWlFim bR8LZ6CHIVM= =vMc8 - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:4157-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4157 Issue date: 2020-10-01 CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.3.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Mozilla: Download origin spoofing via redirect (CVE-2020-15677) * Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1881664 - CVE-2020-15677 Mozilla: Download origin spoofing via redirect 1881665 - CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element 1881666 - CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario 1881667 - CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: thunderbird-78.3.1-1.el8_1.src.rpm ppc64le: thunderbird-78.3.1-1.el8_1.ppc64le.rpm thunderbird-debuginfo-78.3.1-1.el8_1.ppc64le.rpm thunderbird-debugsource-78.3.1-1.el8_1.ppc64le.rpm x86_64: thunderbird-78.3.1-1.el8_1.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el8_1.x86_64.rpm thunderbird-debugsource-78.3.1-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15673 https://access.redhat.com/security/cve/CVE-2020-15676 https://access.redhat.com/security/cve/CVE-2020-15677 https://access.redhat.com/security/cve/CVE-2020-15678 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3XWKtzjgjWX9erEAQiF4Q/7B5ybS4QS09SCI5nHvB1AWLT4ELJt4Jdk agUyz5Jg4ateAlIR8/CekZKP7JD4ldPpdo2TUGQ4zWfaLiDl6K7wcLGpcd9A5BQ3 6u35fpWf3kQZERpEpYYVAgK/qtoNT1BgfRzBP9DtHLGVazUoO/fKrth1H092EPUF LHWDrql8tLerPgTMkRhRG6VLcTYwSHfjUmCIiZ8hVylDHzKjVkC/9M/Dbb91VO0D LF9Rv/QsfvKwm1xJVZGkBaGy4qEDY/PApe1ZCSYbpc2mImfkWNy/B5S0vlnnkkCV 5rr/E4TIklfZwvZUU5GugY+h+9a005IeqqdyQrpIMGL1c8PdyrhXz7Rgvjk8LCPT fmbQPbHaTcrQWcC5XCZIesK6YuMuWsDs8oFwQqKtdfxOqMcuRWpZ9NN0PMLcWl2A kwD7pNU8miVfotQ2t1OoDyGit63IOYpCiVX3CZ5Kt/O9Cj5N1p0HrtZzrEzAdgw/ VWRwTYfKmm0O8xoDNB7MwKvhXBwapzpuAv1T81th7JB6NYkwCthxXG2lIN8rOl7v GZhAYYGpEhB+SDee/0lyPRnOmfAu7hrq09qRxs65br1WLosmyDF05Hl9X+WQC47f F/qe6AnSxDEqK/tv2poWe+RY++JkStln3gHaOoSlFZEqBJBrqyiAJgfO78JcowoM O80jvF3oHuk= =HVCG - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:4158-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4158 Issue date: 2020-10-01 CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.3.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Mozilla: Download origin spoofing via redirect (CVE-2020-15677) * Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1881664 - CVE-2020-15677 Mozilla: Download origin spoofing via redirect 1881665 - CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element 1881666 - CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario 1881667 - CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-78.3.1-1.el6_10.src.rpm i386: thunderbird-78.3.1-1.el6_10.i686.rpm x86_64: thunderbird-78.3.1-1.el6_10.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-78.3.1-1.el6_10.src.rpm i386: thunderbird-78.3.1-1.el6_10.i686.rpm ppc64: thunderbird-78.3.1-1.el6_10.ppc64.rpm thunderbird-debuginfo-78.3.1-1.el6_10.ppc64.rpm s390x: thunderbird-78.3.1-1.el6_10.s390x.rpm thunderbird-debuginfo-78.3.1-1.el6_10.s390x.rpm x86_64: thunderbird-78.3.1-1.el6_10.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-78.3.1-1.el6_10.src.rpm i386: thunderbird-78.3.1-1.el6_10.i686.rpm x86_64: thunderbird-78.3.1-1.el6_10.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15673 https://access.redhat.com/security/cve/CVE-2020-15676 https://access.redhat.com/security/cve/CVE-2020-15677 https://access.redhat.com/security/cve/CVE-2020-15678 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3XZc9zjgjWX9erEAQgHERAAiW+ToCarahMqAt73CZlKXbmWYsOXq40p 8UmUdnkXeEs2CQ54EEMWEB7ZoCC+jvX/3duYfYjpPQnpEIEJmlwUAHqH7orMTPVC eLIQfSFuEghW1AbGpMB4cqvGUjHKS0gES7eNzHz6wxkXLnRFE9lPnhN97gUQ+Oal u9ozMieZF/UTjKbkxL3KvzPIjwkD8Pq68OiNenr7ccEAi6ckPISMXHbGD6Oo/FD4 ckK3/+j2cmRyZsBKmw8L9yoIoPdFRT4PbYGUxQyB/xQ8ii3ewmURpehpY1nzW+mw QyyDESPkZVEOzmKqPJKXshzhuXTLHT0QotP5I5uBoKMvmmwTVJRzYOAQH91pZOib G214GCwCkkxSa2izwXwilpcHmUGjLVr+8zROqkQpg81aItW9vL4W6i7F4g2F70rC MwOxZsGZosdmZPCcNMIYkJ+/jNa8m6ihB94x7oPUKz0w8qYerujRrIdatzDIPfeC v67/VFoqZNIXW8YNYpxkV/+OT7dIgPzKr7As4Gw9GYAwKUgRZ8jqyWby1OMJZvSE xAdRMKerz9sXXLEcaGkGmFGK3JbPpd2M4vlVF+MRtEZEhmyB+joFAZRhhJ0I3wWb xWUCFgXBeBDbuw/8FBMVh54o/GQ4Yd3Aiy5naE5JufqST+hQfSAosrLCU9q4sBuO 9hzDQ5AtZUA= =ANHf - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2020:4163-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4163 Issue date: 2020-10-01 CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.3.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 (CVE-2020-15673) * Mozilla: XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676) * Mozilla: Download origin spoofing via redirect (CVE-2020-15677) * Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1881664 - CVE-2020-15677 Mozilla: Download origin spoofing via redirect 1881665 - CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element 1881666 - CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario 1881667 - CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-78.3.1-1.el7_9.src.rpm x86_64: thunderbird-78.3.1-1.el7_9.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-78.3.1-1.el7_9.src.rpm ppc64le: thunderbird-78.3.1-1.el7_9.ppc64le.rpm thunderbird-debuginfo-78.3.1-1.el7_9.ppc64le.rpm x86_64: thunderbird-78.3.1-1.el7_9.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-78.3.1-1.el7_9.src.rpm x86_64: thunderbird-78.3.1-1.el7_9.x86_64.rpm thunderbird-debuginfo-78.3.1-1.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15673 https://access.redhat.com/security/cve/CVE-2020-15676 https://access.redhat.com/security/cve/CVE-2020-15677 https://access.redhat.com/security/cve/CVE-2020-15678 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3Xsq9zjgjWX9erEAQjk9BAAgf1EgTjrmkU+3ZmMxcdnTkH8RH3RoGoT Nw3Ti3ha9Y2TH9j9wOG7zd2JpaMLf/l4zsHhO1JXrhXVyeFiRuxy9kP9wMiU49Xa T1IgArSc/wz94/ftt0HtPBuHtOY/oLeZCNnzP4ST5ESSaUnn0cElRogQWcZN3ihD WCQh1AZQqy0NwOp7Nq/DmIhjkjwp/AVjRaRoRN+Pe2k6CRyKJmbKjtxhenZJKAmR di/Lo7oC6Jk1OFjF6qkJApJM8CTT7vqPckB59uzEBTBXB1ey2GerrQBzly4Ve+LO fMe84vSd8vLTN/vAj0TYftIDta8DqbhqsmTNWDlf8jwmAPtN186W0FHw4t97fSMD S8abJ+w3VSHraPVCm39hxnZNz7HAK0ER/5KOTM8qHWHVjtJVF6zabZ4lasNdO4cM 5xQ1bdZTKwi8jY2mF4F82vFW7w6+Vn314IyaZm2n4fsYfL120BKSarpsKwJKLtM0 /EvmBbVquwIq6dmFUy9eff6/+Pz6rlaxs/GX4ltskduQRf1xQgTvTCz2LFo5ADWn g1gIeJS581E6mdJxhF0tVI1hg1usxmIsZdprwCSX6/kwTwlUmsEnBI9dBVb47chr wvPrflLJ8O/7xGBgtuBrFKfRwFdl4mlYsSF7DrEVDqTgrFwqyVj54CzBKUjJN04u 3WNDQDKBBfQ= =6rCk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3ZZTONLKJtyKPYoAQi9CQ/9EVnoGnWMo5Q24EkcMIShxPyE6bAvMdAp 4RxrX4BYAtz3C5q7FfJ/U18IbDyb0wXvJ5pOsNa3j6zN5I3e1yZrzklQ/Lz1OJBa AYrxNN5RIDpm0wLaW9GkTSrcZefpYNkZcDw+eSaEa6hoyh3SLBnIQbPJEjaUhjQg rAi+EIpg8F+s7vF5QV6wuy2swbwn754YsXGZh6DiL6HoD8C89qYwfsbcQK3D9T1L 4Q5lCYn3I9iMgK2x/4WKlbpJYsnvCiAimhHH8PZ5YPHjgIMc0nc3qjZaEmSx+G7R ejBFouAM5yzX4aOnH1Ihlw1ZPlLqkc4UTpSqdVK/azvTOpO1Oe1obAFufugYbE2n yTO67IUjDJffPxxC5nL2rIhVXxMUKbTujsQazVrABqFTiAlgPAhcbc5Kx7VR3nar dLmC6heAXashoE79CYvqLUvhFIP9iBWAiMpecmx8XBc4+4Bn3gFVKfLVQ2tFcA5G R+2pxMhV27FeK4MovC8ketiL59LjWsOGyN3YWDOcCbtstcVWTU/eC1mq60FHogsu wc+L7y6ShFp2XaybfR7WtexgF/BSDurpTM5cDmCXe4IgjFG0mlSmPgKgtHDuJ9mq +dH64ZBrGnSXs7tGtnTWJdZUjxMoSMl3FacrownOehdNzyAaNqq11um3fOEWhuKa TMrIqGL6hbk= =cGcO -----END PGP SIGNATURE-----