-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2019:2773-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2773 Issue date: 2019-09-17 CVE Names: CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 ==================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.9.0. Security Fix(es): * Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message (CVE-2019-11739) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1748652 - CVE-2019-11740 Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 1748653 - CVE-2019-11742 Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images 1748654 - CVE-2019-11743 Mozilla: Cross-origin access to unload event attributes 1748655 - CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML 1748656 - CVE-2019-11746 Mozilla: Use-after-free while manipulating video 1748657 - CVE-2019-11752 Mozilla: Use-after-free while extracting a key value in IndexedDB 1752307 - CVE-2019-11739 Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-60.9.0-1.el7_7.src.rpm x86_64: thunderbird-60.9.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-60.9.0-1.el7_7.src.rpm ppc64le: thunderbird-60.9.0-1.el7_7.ppc64le.rpm thunderbird-debuginfo-60.9.0-1.el7_7.ppc64le.rpm x86_64: thunderbird-60.9.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-60.9.0-1.el7_7.src.rpm x86_64: thunderbird-60.9.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11739 https://access.redhat.com/security/cve/CVE-2019-11740 https://access.redhat.com/security/cve/CVE-2019-11742 https://access.redhat.com/security/cve/CVE-2019-11743 https://access.redhat.com/security/cve/CVE-2019-11744 https://access.redhat.com/security/cve/CVE-2019-11746 https://access.redhat.com/security/cve/CVE-2019-11752 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXYL4W9zjgjWX9erEAQjzXg/9HHn4vY4XhaUarBsoNAYcofhvMqR9XbiK BRxl/LtWM0xRZTTLCFgKbsY5lQHqvYgq98EE06AIZxi3ScwSEiLSTUIyuQDml9cU b2eO2qXCS8rYgzC4QfNGDkne29WQEiVIxqLzRl9xRTsafj9pSIIu+Qkw7Mxy60an UC1MkhPu8z1Y0JOe+bL09ZO5JawYCUcL4ndrmA2bBgKX0MBBH4MPIPYnrzJEM6FF pizvjeATKOPuUWHj7cG8XM1vnCe+CH693xJAXjSw1wJFQl3jnIGt/u62hCq4wCV2 kGSTUlRiQEgdzyEmLzQwb2OurhuxJNHtQRLB98A5PsoUmjif9dbbkuWa68OBj3do j1lQf18WjucE+JmtS8wVXRvxLsDYFXsaCerPk4e4DnoMY5pnbu3bHsL9nMyjJ3JH QgNCqH6C1U3hZ2OzOk64A7eL4+NUC5VXuOai3yWaYWn9x4qX8DtRQf5ZtoR+udNT FIreJ8zMGqnJ5m7DNNaVBeQ45e3dVO9FAgkIxwUMALh6MTA9AemVxMyTeKollm8m TVVh9A1yxAMLhqOn8pOABnU+6zCSZvn9meCmkgpt/riPYP82YjqdoTwfu68x0ErV eVWh0O9JauXzhJFEhtOASUyrwzJgEgSG5byyV2f3NpAFfsnj2mmPznBE6IS4zcLW 09XEbE+2vkg=vDUE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce