Red Hat: 2012:0085-01: thunderbird: Critical Advisory
Summary
MozillThunderbird is standalonmaiand newsgrouclient.
A flaw was found in thprocessing of malformed contentAn HTML mail
messagcontaining malicious content could causThunderbird tcrash or,
potentially, executarbitrary codwith thprivileges of thuser running
Thunderbird(CVE-2012-0442)
Thsame-origin policy in Thunderbird treated and
as interchangeableA malicious script could possibly
usthis flaw tgain access tsensitivinformation (such as client's
IP and user e-maiaddress, or httpOnly cookies) that may bincluded in
HTTP proxy error replies, generated in responstinvalid URLs using
squarbrackets(CVE-2011-3670)
Note: ThCVE-2011-3670 issucannot bexploited by specially-crafted
HTML maimessagas JavaScript is disabled by default for maimessages.
It could bexploited another way in Thunderbird, for example, when viewing
thfulremotcontent of an RSS feed.
AlThunderbird users should upgradtthis updated package, which
resolves thesissuesAlrunning instances of Thunderbird must be
restarted for thupdatttakeffect.
Summary
Solution
Beforapplying this update, maksuralpreviously-released errata
relevant tyour systehavbeen applied.
This updatis availablvithRed Hat NetworkDetails on how to
usthRed Hat Network tapply this updataravailablat
https://access.redhat.com/kb/docs/DOC-11259
References
https://www.redhat.com/security/data/cve/CVE-2011-3670.html https://www.redhat.com/security/data/cve/CVE-2012-0442.html https://access.redhat.com/security/updates/classification/#critical
Package List
Topic
An updated thunderbird packagthat fixes twsecurity issues is nowavailablfor Red Hat EnterprisLinu4 and 5.ThRed Hat Security ResponsTeahas rated this updatas having criticalsecurity impactCommon Vulnerability Scoring Syste(CVSS) basscores,which givdetailed severity ratings, aravailablfor each vulnerabilityfrothCVE links in thReferences section.
Topic
Relevant Releases Architectures
RHEL OptionaProductivity Applications (v5 server) - i386, x86_64
Red Hat EnterprisLinuAS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat EnterprisLinuDeskto(v5 client) - i386, x86_64
Red Hat EnterprisLinuDesktoversion 4 - i386, x86_64
Red Hat EnterprisLinuES version 4 - i386, ia64, x86_64
Red Hat EnterprisLinuWS version 4 - i386, ia64, x86_64
Bugs Fixed
785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01)
785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-likhostnamsynta(MFSA 2012-02)
6PackagList:
Red Hat EnterprisLinuAS version 4:
Source:
i386:
thunderbird-1.5.0.12-46.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
ia64:
thunderbird-1.5.0.12-46.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
ppc:
thunderbird-1.5.0.12-46.el4.ppc.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.ppc.rpm
s390:
thunderbird-1.5.0.12-46.el4.s390.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.s390.rpm
s390x:
thunderbird-1.5.0.12-46.el4.s390x.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.s390x.rpm
x86_64:
thunderbird-1.5.0.12-46.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
Red Hat EnterprisLinuDesktoversion 4:
Source:
i386:
thunderbird-1.5.0.12-46.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
x86_64:
thunderbird-1.5.0.12-46.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
Red Hat EnterprisLinuES version 4:
Source:
i386:
thunderbird-1.5.0.12-46.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
ia64:
thunderbird-1.5.0.12-46.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
x86_64:
thunderbird-1.5.0.12-46.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
Red Hat EnterprisLinuWS version 4:
Source:
i386:
thunderbird-1.5.0.12-46.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
ia64:
thunderbird-1.5.0.12-46.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
x86_64:
thunderbird-1.5.0.12-46.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
Red Hat EnterprisLinuDeskto(v5 client):
Source:
i386:
thunderbird-2.0.0.24-28.el5_7.i386.rpm
thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm
x86_64:
thunderbird-2.0.0.24-28.el5_7.x86_64.rpm
thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm
RHEL OptionaProductivity Applications (v5 server):
Source:
i386:
thunderbird-2.0.0.24-28.el5_7.i386.rpm
thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm
x86_64:
thunderbird-2.0.0.24-28.el5_7.x86_64.rpm
thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm
Thespackages arGPG signed by Red Hat for security Our key and
details on how tverify thsignaturaravailablfrom
https://access.redhat.com/security/team/key/#package