Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1069
thunderbird security update
15 March 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26486 CVE-2022-26485 CVE-2022-26387
CVE-2022-26386 CVE-2022-26384 CVE-2022-26383
CVE-2022-26381 CVE-2022-25315 CVE-2022-25236
CVE-2022-25235 CVE-2022-0566
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:0850
Comment: CVSS (Max): 9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2022:0850-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0850
Issue date: 2022-03-14
CVE Names: CVE-2022-0566 CVE-2022-25235 CVE-2022-25236
CVE-2022-25315 CVE-2022-26381 CVE-2022-26383
CVE-2022-26384 CVE-2022-26386 CVE-2022-26387
CVE-2022-26485 CVE-2022-26486
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 91.7.0.
Security Fix(es):
* Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)
* Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)
* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code
execution (CVE-2022-25235)
* expat: Namespace-separator characters in "xmlns[:prefix]" attribute
values can lead to arbitrary code execution (CVE-2022-25236)
* expat: Integer overflow in storeRawNames() (CVE-2022-25315)
* Mozilla: Use-after-free in text reflows (CVE-2022-26381)
* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)
* Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)
* Mozilla: Time-of-check time-of-use bug when verifying add-on signatures
(CVE-2022-26387)
* thunderbird: Crafted email could trigger an out-of-bounds write
(CVE-2022-0566)
* Mozilla: Temporary files downloaded to /tmp and accessible by other local
users (CVE-2022-26386)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2055591 - CVE-2022-0566 thunderbird: Crafted email could trigger an out-of-bounds write
2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
2061735 - CVE-2022-26486 Mozilla: Use-after-free in WebGPU IPC Framework
2061736 - CVE-2022-26485 Mozilla: Use-after-free in XSLT parameter processing
2062220 - CVE-2022-26383 Mozilla: Browser window spoof using fullscreen mode
2062221 - CVE-2022-26384 Mozilla: iframe allow-scripts sandbox bypass
2062222 - CVE-2022-26387 Mozilla: Time-of-check time-of-use bug when verifying add-on signatures
2062223 - CVE-2022-26381 Mozilla: Use-after-free in text reflows
2062224 - CVE-2022-26386 Mozilla: Temporary files downloaded to /tmp and accessible by other local users
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
thunderbird-91.7.0-2.el7_9.src.rpm
x86_64:
thunderbird-91.7.0-2.el7_9.x86_64.rpm
thunderbird-debuginfo-91.7.0-2.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source:
thunderbird-91.7.0-2.el7_9.src.rpm
ppc64le:
thunderbird-91.7.0-2.el7_9.ppc64le.rpm
thunderbird-debuginfo-91.7.0-2.el7_9.ppc64le.rpm
x86_64:
thunderbird-91.7.0-2.el7_9.x86_64.rpm
thunderbird-debuginfo-91.7.0-2.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
thunderbird-91.7.0-2.el7_9.src.rpm
x86_64:
thunderbird-91.7.0-2.el7_9.x86_64.rpm
thunderbird-debuginfo-91.7.0-2.el7_9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-0566
https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/cve/CVE-2022-25236
https://access.redhat.com/security/cve/CVE-2022-25315
https://access.redhat.com/security/cve/CVE-2022-26381
https://access.redhat.com/security/cve/CVE-2022-26383
https://access.redhat.com/security/cve/CVE-2022-26384
https://access.redhat.com/security/cve/CVE-2022-26386
https://access.redhat.com/security/cve/CVE-2022-26387
https://access.redhat.com/security/cve/CVE-2022-26485
https://access.redhat.com/security/cve/CVE-2022-26486
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYi9as9zjgjWX9erEAQi0VA/8DmqELriNmt2kTcKBgMz/PkowFKQVVLE9
Z4xLkVnFBjSYiHsyXBwFlNBJPK1ywvizchEFsj3hkv7+05xJTGLjrvyEaGquYv36
ol+Yrq5hzVATmfC9AivXQLew4+10cqBX5Hl/KoxIsLmn1k+7K0OV5PUo41WaYIYn
znNLekFIYpWBe6HmqEs7eErS9TGR6t91o/4iUd2p4LgxEMmJhcZ32clA0k2sWQoC
t96wqwaFdYo7SWekWEIsjLu9TjXCZ2QITzxA1gQG0ZymWuaOhpSCoaeu7O3KGy9E
j9D5UhAGmWxSWiSMJ2+AP4E4t4CXJ5poE9+T3hgsevt9Lr24Cr9QK77w6/gxpLpj
/zuR86oImk/FcnTBE+EY5TNgpPusbMQXZHD0OfmxRqO3TZn8n0mURRBgxkJJPpkb
AJX93daJu2FQyRQBRi/WQKbBpi8VKZpmdVIP8i/ZujiKWDzYuwnij4o0/JOTnH5P
agTu9G32WnAemVXUK6IlNZamM6IODof4uY7L1A1AtQkpDSzIQ5PpHbxEgtp0NqDO
tTBogkwaB3Mkvme2fZ6wu2ALaaJuhnDrA332gITVz9tQ6TJL/M3Z1f0X4007yTSH
uPebIvMc7O15OJL1AI7U29MitAXTDqkWoSP8ECMli7w1Ro3cBr/VNQicmkZZyJ3h
A8Mb2SG3B+I=
=7pc/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYi/F1eNLKJtyKPYoAQh38A/9Fq6nv3nMuJRrQhLB0dDg3wYs1w0Qv6Lg
GPwTbupCfGl+lghqQtxlhgHkO4Haiy+/Jlw9xNcHbnSBmzSm78JFj5J5ljnuAprp
cOb9ONAxlYtHizla3gqjDHpFeKUymvfgrqWxfcp2OxinVEiuJl3qLtk5Zn0bXGo6
c7tfsh5RVKN8N6kns3CpjT0ebMkuAHKcH8ZacugY+gSKucPHehVhFk8vn1ByLUFp
OIePZncBDp7jN9sc9jxhdS0dCVWuyIouGGyMheW/rPvvKFaH72G8P1myMF6sriXf
409tgubCuOdBfggQPkJ0P+ZJniYwINAxZoUbq+YvdZKe2oKJhORTH6K2WJn7p+DZ
p6mK5o6MbknDHrqNaYzpqmq3qho3LKOGt9+SIRkKjKoPzsHk8YcQoZOOg4uxlBaV
CTQCDfDBnfkSc3/qIVHYda7MCQcyu6nhwvTadOOFvQWguMB2WaYvAd26Qnn39Mb9
TUE9/objEkF1wcIQcrl2IBG7Ij4V2xsmDz7Vv4VC97K+N+2xsHFb4W0EPozgccUn
wtmDZ/ivI6BEu/3G2HFfSo7SW29ybT4/oVWlP27JsAlYIWvcpC8KlvhBAWEyL4Nh
UajST76FmTM8EBGBIUe7gZeAaHxGkVCYosflc71iLo6mM64xuuLsz2YtU/cRUb+p
OyGFf06PKsc=
=id7I
-----END PGP SIGNATURE-----