Issued:
2007-12-19
Updated:
2007-12-19

RHSA-2007:1083 - Security Advisory

Synopsis

Moderate: thunderbird security update

Type/Severity

Security Advisory: Moderate

Topic

Updated thunderbird packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

A cross-site scripting flaw was found in the way Thunderbird handled the
jar: URI scheme. It may be possible for a malicious HTML mail message to
leverage this flaw, and conduct a cross-site scripting attack against a
user running Thunderbird. (CVE-2007-5947)

Several flaws were found in the way Thunderbird processed certain malformed
HTML mail content. A HTML mail message containing malicious content could
cause Thunderbird to crash, or potentially execute arbitrary code as the
user running Thunderbird. (CVE-2007-5959)

A race condition existed when Thunderbird set the "window.location"
property when displaying HTML mail content. This flaw could allow a HTML
mail message to set an arbitrary Referer header, which may lead to a
Cross-site Request Forgery (CSRF) attack against websites that rely only on
the Referer header for protection. (CVE-2007-5960)

All users of thunderbird are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 394211 - CVE-2007-5947 Mozilla jar: protocol XSS
  • BZ - 394241 - CVE-2007-5959 Multiple flaws in Firefox
  • BZ - 394261 - CVE-2007-5960 Mozilla Cross-site Request Forgery flaw

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
thunderbird-1.5.0.12-7.el5.src.rpm SHA-256: 6064fb5519489598a186864968879a68d0aca019d1c74d1ffd0549c84205257f
x86_64
thunderbird-1.5.0.12-7.el5.x86_64.rpm SHA-256: c0256e457fd2ca4b139d20384d4413df87d17402213a088ced67c35b1d1fd9c6
i386
thunderbird-1.5.0.12-7.el5.i386.rpm SHA-256: 3e2e751d52277af98291b3628f155ce19dd04200cc144dee2133a2557e8891cc

Red Hat Enterprise Linux Server 4

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
x86_64
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
ia64
thunderbird-1.5.0.12-7.el4.ia64.rpm SHA-256: 6b037ede3cad13e7fc9c697ec6ca9e5944468e299bcde0bf45f189642d75fa9b
thunderbird-1.5.0.12-7.el4.ia64.rpm SHA-256: 6b037ede3cad13e7fc9c697ec6ca9e5944468e299bcde0bf45f189642d75fa9b
i386
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543

Red Hat Enterprise Linux Server - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
x86_64
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
ia64
thunderbird-1.5.0.12-7.el4.ia64.rpm SHA-256: 6b037ede3cad13e7fc9c697ec6ca9e5944468e299bcde0bf45f189642d75fa9b
thunderbird-1.5.0.12-7.el4.ia64.rpm SHA-256: 6b037ede3cad13e7fc9c697ec6ca9e5944468e299bcde0bf45f189642d75fa9b
i386
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543

Red Hat Enterprise Linux Workstation 5

SRPM
thunderbird-1.5.0.12-7.el5.src.rpm SHA-256: 6064fb5519489598a186864968879a68d0aca019d1c74d1ffd0549c84205257f
x86_64
thunderbird-1.5.0.12-7.el5.x86_64.rpm SHA-256: c0256e457fd2ca4b139d20384d4413df87d17402213a088ced67c35b1d1fd9c6
i386
thunderbird-1.5.0.12-7.el5.i386.rpm SHA-256: 3e2e751d52277af98291b3628f155ce19dd04200cc144dee2133a2557e8891cc

Red Hat Enterprise Linux Workstation 4

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
x86_64
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
ia64
thunderbird-1.5.0.12-7.el4.ia64.rpm SHA-256: 6b037ede3cad13e7fc9c697ec6ca9e5944468e299bcde0bf45f189642d75fa9b
i386
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543

Red Hat Enterprise Linux Desktop 5

SRPM
thunderbird-1.5.0.12-7.el5.src.rpm SHA-256: 6064fb5519489598a186864968879a68d0aca019d1c74d1ffd0549c84205257f
x86_64
thunderbird-1.5.0.12-7.el5.x86_64.rpm SHA-256: c0256e457fd2ca4b139d20384d4413df87d17402213a088ced67c35b1d1fd9c6
i386
thunderbird-1.5.0.12-7.el5.i386.rpm SHA-256: 3e2e751d52277af98291b3628f155ce19dd04200cc144dee2133a2557e8891cc

Red Hat Enterprise Linux Desktop 4

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
x86_64
thunderbird-1.5.0.12-7.el4.x86_64.rpm SHA-256: 4b6ceb3602aa48bb8506a9beedb1d05f8cc22b95a41b4a4804bb2f5412b17284
i386
thunderbird-1.5.0.12-7.el4.i386.rpm SHA-256: 81fffa27a94c9faf3cdeee19110774dae905c10d4d883649d8902ccf2f388543

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
s390x
thunderbird-1.5.0.12-7.el4.s390x.rpm SHA-256: c3a0153fb4f98743aaab4aa58bf5b2f798c884d43b66b0097513e4327b3ac3a5
s390
thunderbird-1.5.0.12-7.el4.s390.rpm SHA-256: e828d383a485881cb70f30c124398a5f4402043373893891abb5bc79e791471b

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
s390x
thunderbird-1.5.0.12-7.el4.s390x.rpm SHA-256: c3a0153fb4f98743aaab4aa58bf5b2f798c884d43b66b0097513e4327b3ac3a5
s390
thunderbird-1.5.0.12-7.el4.s390.rpm SHA-256: e828d383a485881cb70f30c124398a5f4402043373893891abb5bc79e791471b

Red Hat Enterprise Linux for Power, big endian 4

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
ppc
thunderbird-1.5.0.12-7.el4.ppc.rpm SHA-256: 148bd0b37a0d333eb6e1a8f9e0fc74a6fb564619d252a99b286050e778b8f4b7

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-7.el4.src.rpm SHA-256: 147496f66ca3aa3b25298a6b641c6e9d9a44f372776c6e8e464213b3507557e0
ppc
thunderbird-1.5.0.12-7.el4.ppc.rpm SHA-256: 148bd0b37a0d333eb6e1a8f9e0fc74a6fb564619d252a99b286050e778b8f4b7

Red Hat Enterprise Linux Server from RHUI 5

SRPM
thunderbird-1.5.0.12-7.el5.src.rpm SHA-256: 6064fb5519489598a186864968879a68d0aca019d1c74d1ffd0549c84205257f
x86_64
thunderbird-1.5.0.12-7.el5.x86_64.rpm SHA-256: c0256e457fd2ca4b139d20384d4413df87d17402213a088ced67c35b1d1fd9c6
i386
thunderbird-1.5.0.12-7.el5.i386.rpm SHA-256: 3e2e751d52277af98291b3628f155ce19dd04200cc144dee2133a2557e8891cc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.