-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2019:2807-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2807 Issue date: 2019-09-17 CVE Names: CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 ==================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.9.0. Security Fix(es): * Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message (CVE-2019-11739) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1748652 - CVE-2019-11740 Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 1748653 - CVE-2019-11742 Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images 1748654 - CVE-2019-11743 Mozilla: Cross-origin access to unload event attributes 1748655 - CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML 1748656 - CVE-2019-11746 Mozilla: Use-after-free while manipulating video 1748657 - CVE-2019-11752 Mozilla: Use-after-free while extracting a key value in IndexedDB 1752307 - CVE-2019-11739 Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-60.9.0-1.el6_10.src.rpm i386: thunderbird-60.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-60.9.0-1.el6_10.i686.rpm x86_64: thunderbird-60.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-60.9.0-1.el6_10.src.rpm i386: thunderbird-60.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-60.9.0-1.el6_10.i686.rpm ppc64: thunderbird-60.9.0-1.el6_10.ppc64.rpm thunderbird-debuginfo-60.9.0-1.el6_10.ppc64.rpm s390x: thunderbird-60.9.0-1.el6_10.s390x.rpm thunderbird-debuginfo-60.9.0-1.el6_10.s390x.rpm x86_64: thunderbird-60.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-60.9.0-1.el6_10.src.rpm i386: thunderbird-60.9.0-1.el6_10.i686.rpm thunderbird-debuginfo-60.9.0-1.el6_10.i686.rpm x86_64: thunderbird-60.9.0-1.el6_10.x86_64.rpm thunderbird-debuginfo-60.9.0-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11739 https://access.redhat.com/security/cve/CVE-2019-11740 https://access.redhat.com/security/cve/CVE-2019-11742 https://access.redhat.com/security/cve/CVE-2019-11743 https://access.redhat.com/security/cve/CVE-2019-11744 https://access.redhat.com/security/cve/CVE-2019-11746 https://access.redhat.com/security/cve/CVE-2019-11752 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXYMfftzjgjWX9erEAQgYPRAAnYnR8TZBX+/znFuhEn2V4uToENo3tDuO IpbQJxuQ2u12OKwtAWnRDpqpEQcm+5X9ka/Mx5at9vQpgI/8zpZzpwVELxpQ3KwQ or+KQkU4I5SYf0OQxNO5Zy8opw1cPO+sFarKrrYQ+4C6MOyuJE1leSkYzDeemsNJ 1RbvEZWy+Bi+RXUQPNmw0QtADXfRvQDt6iHz2bn6KbYZwXnQeVii+T4RIyC19cyC ctRwdow8NsjfWrFULeuhZeoVo9dAValnw8GHDpwjTnsPQv4WCOgd22n5LJVkfq7x /r3IOE0l9rsHlQcrPSeO6aVsZiDU0ArbfLMoZzTu5xAADQXXx9XX/RBHrztSqVX1 WHuJZltS/+JhnNu0iPxuymrdBQhmS4DT73NeNc4CEZdt9AAaQD04WzA+CteHhhgv VgoLWVvWcrmNnzZ0JHrN6RaE6DuZQpPrSWSLdstdsKcuIVoYKQXzlXLqivsgEBCt i0Hypxqh4ySZXqNhKUQvUHS5SMCjiNrBoSHFCkkWuWlxL4eHtQUjh2p9oaoIs5R+ BlSFPrWEtlZfT+MlDoWgcETRIct1NnYHV6JCtOq0zYpaV6/hhrBmL7qaTOVP3+mA PDBB/Bz1qMaAiqFSgW7eRH29c3TABcgC3tEEvx3tNsNN5hgTQrfZycydxxdghLZG eI4bmI4omDQ=fTDA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce