Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1403
thunderbird security update
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29948 CVE-2021-29946 CVE-2021-29945
CVE-2021-24002 CVE-2021-23999 CVE-2021-23998
CVE-2021-23995 CVE-2021-23994 CVE-2021-23961
Reference: ESB-2021.1380
ESB-2021.1313
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1350
https://access.redhat.com/errata/RHSA-2021:1351
https://access.redhat.com/errata/RHSA-2021:1352
https://access.redhat.com/errata/RHSA-2021:1353
Comment: This bulletin contains four (4) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2021:1350-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1350
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946 CVE-2021-29948
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 78.10.0.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
* Mozilla: Race condition when reading from disk while verifying signatures
(CVE-2021-29948)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
1951381 - CVE-2021-29948 Mozilla: Race condition when reading from disk while verifying signatures
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
thunderbird-78.10.0-1.el7_9.src.rpm
x86_64:
thunderbird-78.10.0-1.el7_9.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source:
thunderbird-78.10.0-1.el7_9.src.rpm
ppc64le:
thunderbird-78.10.0-1.el7_9.ppc64le.rpm
thunderbird-debuginfo-78.10.0-1.el7_9.ppc64le.rpm
x86_64:
thunderbird-78.10.0-1.el7_9.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
thunderbird-78.10.0-1.el7_9.src.rpm
x86_64:
thunderbird-78.10.0-1.el7_9.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el7_9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/cve/CVE-2021-29948
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIZa7tzjgjWX9erEAQgxUA/+NkFcwhBSQrMLks80W3dULm3VdsLjR+JT
id4qMhlVJ51F2hd+IHv2SAVukOnXyyj2JlYr0pd93fmHABsZWDxrz6CtUnmeQwM8
HyPke7obm4ACct/dGYs60YPGIH+mWuqG2ta4bSTacBQICl8wFp+3Tg3aucI5g6i/
vssCy0lK8sDI1FMbBQ6qF3VM5VIBSodC/pxqIuYMDRVrLw0XNKv2b/6JJrcS/oYH
ZRqj3BA3XWoq9Tu5yIiX0mfrMWqOr/dg1RLbGOybyWyBCWhzUQc6/aY1urMzwvUb
YqoJlXULCl4L9Mt1lwmLPESxLDAuSE6SGDhvkekCeXk7gMvzAs3iQk9ixT76yn9S
UeZIy/K0FoerauQ8oY0tWg3SVzbzA+HUROXZRfCXHitTplH02cFFY9bvcRy2JszD
BB5Z7U1DR401C2xkIrhyKpW1P6mq23PQifM3ENNUhp0cKG3WX/7SwOEZ2rxJaUO6
NL4Ah0IsaERi6NzrcIXWo3rgX7UfaVymxaoMCW7UAOPYu0OY7BsTDEetii7cILS2
47uFcx+zRVZ0PeINr0F8e89woqu+t15Cb5NljbZxPZxsLjnJLf8e6KUTPqwqF/ix
6i48nomJx9/52WufIArL570Q+xRCnOo5WXVFxi9Sv74IyWbWghVVtneFXGLb83kv
mJG4iS62vm0=
=ibFx
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2021:1351-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1351
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946 CVE-2021-29948
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 78.10.0.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
* Mozilla: Race condition when reading from disk while verifying signatures
(CVE-2021-29948)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
1951381 - CVE-2021-29948 Mozilla: Race condition when reading from disk while verifying signatures
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
thunderbird-78.10.0-1.el8_1.src.rpm
ppc64le:
thunderbird-78.10.0-1.el8_1.ppc64le.rpm
thunderbird-debuginfo-78.10.0-1.el8_1.ppc64le.rpm
thunderbird-debugsource-78.10.0-1.el8_1.ppc64le.rpm
x86_64:
thunderbird-78.10.0-1.el8_1.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el8_1.x86_64.rpm
thunderbird-debugsource-78.10.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/cve/CVE-2021-29948
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIZUtNzjgjWX9erEAQiCkA/9E4WUCvlBPu/+IG3ZkdG7cg8tsPmMtsX6
gpVIOnUobYXth1n7w7wo4ehiNRL4vB8My4kmJ+Qf/3UKGCNxtGOiqHEV7z0tMAVb
gTF13jCX/uNm5l4z9kEqiY0dP1gNvl4vAJvy2ax4JjXY93MraHsFCyaSPywyd8hJ
G4AGKBcNJZD9VgvHR/uM6rAO2y6fHAc97P/gTXz2wfZYRhDu8PHLWw4HuTagRux9
eBjVC1C8FF3fGntuCLVZfJe99kzQ5dQ3p3w/No/PidDqdyXZEpHn6Nij22Da0Zvj
WRXldT/JdWk8CxmmQtXaiWP3RbiX0cGVBi/JAn4DlkwpSPTMW6RdcLADjW9F4kAe
wB5vPS3SMZel+mHpnAwSrrj2pEj4lt/UQoWXfF0Iz+lcxHFdQ+8diK3BFQuzc1ve
V/c77CvWGgRMJhxZi7iForvaeMF/Notm17+7NJP0zIOmjR7Z0rI8T8cCQKnOzU00
rT7mLIM+/NRQtIQpiq8gHG0Hkzpfpxu8D1SYOOuGBtsxLtigBBjIkYdkOlDeHYzJ
8XYGiG7aYnZhWenGL6XVdeCJ7tVAh6pgYcWfMYpazHUKmMmBP7A7NTRj6hasFYwQ
dAYbOL2w9AhEKXqx07U/NdLUtEs0xuaIqYKyZ57yoML7IHL8Q4ec0+3wDAk3NdfC
XJkQXWRP3Ng=
=EJak
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2021:1352-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1352
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946 CVE-2021-29948
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 78.10.0.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
* Mozilla: Race condition when reading from disk while verifying signatures
(CVE-2021-29948)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
1951381 - CVE-2021-29948 Mozilla: Race condition when reading from disk while verifying signatures
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
thunderbird-78.10.0-1.el8_2.src.rpm
aarch64:
thunderbird-78.10.0-1.el8_2.aarch64.rpm
thunderbird-debuginfo-78.10.0-1.el8_2.aarch64.rpm
thunderbird-debugsource-78.10.0-1.el8_2.aarch64.rpm
ppc64le:
thunderbird-78.10.0-1.el8_2.ppc64le.rpm
thunderbird-debuginfo-78.10.0-1.el8_2.ppc64le.rpm
thunderbird-debugsource-78.10.0-1.el8_2.ppc64le.rpm
x86_64:
thunderbird-78.10.0-1.el8_2.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el8_2.x86_64.rpm
thunderbird-debugsource-78.10.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/cve/CVE-2021-29948
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIZXLtzjgjWX9erEAQgTZw//QiZ3trn6aQ5vly6gipmwMaObmMmM3kgD
ark13V1WauBzhMhdqUh84bkI0h/FO0ZqSOYAASGnWHku1ZNbgU2J9Ein6WK/P0z+
VrPUtgEJqi8cLks7PQncTt4aTgNdrUOtawKPL4XhcCKqvHEYhT7xAnMfNmIgy3nM
LQtrTYb1cfoWkzjujv8mAZNahQPK7tbISaVgOWGMaO2fvTxxT8jIOEI26c1v9d7U
Se98HabejHoMBlYiLRkUhtv+7nIRIaWd48CBLFxxmWZWPCka9tLxCXLnfrW6g4jz
AvYHXLnSCu8ZnCq9WLVhVkEyyOhRMUkyGty+4OTezBDZhm8wJLXOoASN8Q1qOLVq
MU+WZZAyiFX/xdIB+Wdh4OllDMHgQVZD04ywN0LA1wp5QR+6eVjkMbEUZH/StEfm
biQqZjdIjK8JTTGwi6zOD47+GF+XY4jCe9PPUKZkv3rl2KorA5S1SpGxWZsFA87B
3xZQF7PN6EZsD5SnbXSVNIpZfU3sJRg5TF77uYZkaO/EKqZuBEnb//cvlv/mnbG8
D2u9VIjORdE8elO3j1gmm+3Gx+YYB2FCGJnZXMGsmUdoliDL0fuhBqDN6sGVtcQK
T8W4vp4s2JWsLdQ7eCnpKJ0zoMhMSP3Gp5XQoZzfPCNnduxm9K5zAgUtOno7rz1m
zBbjpOr6Cbs=
=YopE
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2021:1353-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1353
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946 CVE-2021-29948
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 78.10.0.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
* Mozilla: Race condition when reading from disk while verifying signatures
(CVE-2021-29948)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
1951381 - CVE-2021-29948 Mozilla: Race condition when reading from disk while verifying signatures
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
thunderbird-78.10.0-1.el8_3.src.rpm
aarch64:
thunderbird-78.10.0-1.el8_3.aarch64.rpm
thunderbird-debuginfo-78.10.0-1.el8_3.aarch64.rpm
thunderbird-debugsource-78.10.0-1.el8_3.aarch64.rpm
ppc64le:
thunderbird-78.10.0-1.el8_3.ppc64le.rpm
thunderbird-debuginfo-78.10.0-1.el8_3.ppc64le.rpm
thunderbird-debugsource-78.10.0-1.el8_3.ppc64le.rpm
x86_64:
thunderbird-78.10.0-1.el8_3.x86_64.rpm
thunderbird-debuginfo-78.10.0-1.el8_3.x86_64.rpm
thunderbird-debugsource-78.10.0-1.el8_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/cve/CVE-2021-29948
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIZT5tzjgjWX9erEAQh+cw//UaYUfVaXfEvGHpKHT5yTRHxkUB/S3ZbP
uTOQ58Tf5zc2Wy/mQl97Fbp8OL4lIPyPh7iHiZyjpeLBwe9Mgptu0idJDb8w3zrY
FsFFRrmFqWfEK+c9C1+gCGJIRqYTbpWXZxDKPvrYA9FptsHKUmD6LYefCxSQSgyb
R5G2ADRD6LeMRxwKQgaha5vODee8tv9MKq05Bt6DIxyiwGL6NzvSMzeGwhLYQ3FZ
pPLsLnFGMQlZdR400kR0sCkJspu55SlgXmDidafX4KvXEspyO6bxREyD9iF6uOtT
nv0EuGMzax6aLqD/8HeB5UDxI/SsDpB6lNlaS+zzyousIxoFjlp5AKqqUYDx0uRs
zhWJq/Ds60X3Gccm4mK6DgpzivjFW0wrHSLFmOu2Vs0YxL5Q2FbStPfpo92NBQT/
4GilOvYeIB+9NmX96xtKJ4zFB75pDD5DCCmDLJrQweRfwIbCnazbvxGQhEpO2Cle
tZv1qFpOTyEeirUCp+aPs1UWhP2kLJqTJa+1+aEn25gjsx/yBwb84dXrRcfdhLUY
/Zuv4p5aszK8ufLrejVgp3pnBm9XZIsOGPKSZMTDA1O99cJDlhtphT+uquxfODUj
r5zKsnLU/ImEZky7TFMPX4faGUh+Zjq1Km1uVqO7joJ0/Gz4ZMmfaAfnLSuG4hzt
nyVUTma1nXc=
=cLlX
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIdm0uNLKJtyKPYoAQhtcA//eBxcOFvIf8xZ+R2M5UdMXTbjxaXb79Vh
gIjbfR7Ml3s5q+aCc7V1uUkaqZiiqF/LBwjhIEXjB02Wgra+VdW5YQUk1K3UKZ0J
shOER7+r15aCo8oHrBx7/ox1rTL5INv1WGNNGyfXiQUOaKaveX00Mg2D97H4p3GE
uvZK7U+QwJZTm2RD0QAIhuUdjvk94t2O7GxfIEwBKaybiqOvoKOqdHLYjpO6hrk5
2FWQSheJujEQ5lyDWe1KzfA1MAh/bhTp6bA7QuyaXtFV+LjG/NuXzcv2T69aa7GE
vI2z5Scl8+Q9gUB9RLc69upBqENglT8kAWi/tT720KNISE5I/Usw+NfvVtwC4KFD
vVod4UUK1ZVQxOn25VMNtILRCM+AwPV/hrIc735Wk6JF0vVhqAYDEImuzx/sOsrM
woKshv3Nl17Uc/7bloRk4vXp1/gKJ//F51vfQ4xo48QTAZ8QvnOhMDY5VeCCqDCx
EU8HAzYL2FasJMjyKAkd3tLZVV/WB/S0rhsr48EUktF3dIHVvAEQpyS5UOmMP3fg
YNtQiu3oqNT4o2gh2+i7xxnCEcN4HtVnPAFwmO71Mv3G4exG4OXLo4K60V6PNhkz
nkLUemzcSym1t2qnmauRSdC5wsS6ul5XpxexJe2NLM7aW07UGCSVbGYXbfqvOx/0
hXXGH570hXY=
=ObFP
-----END PGP SIGNATURE-----