Issued:
2014-09-03
Updated:
2014-09-03

RHSA-2014:1145 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Topic

An updated thunderbird package that fixes two security issues is now
available for Red Hat Enterprise Linux 5 and 6.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2014-1562, CVE-2014-1567)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jan de Mooij as the original reporter of
CVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567.

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 24.8.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 24.8.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Enterprise Linux Server 6 i386
  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 6.5 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 6.5 i386
  • Red Hat Enterprise Linux Server - AUS 6.5 x86_64
  • Red Hat Enterprise Linux Workstation 6 x86_64
  • Red Hat Enterprise Linux Workstation 6 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 6 x86_64
  • Red Hat Enterprise Linux Desktop 6 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.5 s390x
  • Red Hat Enterprise Linux for Power, big endian 6 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.5 ppc64
  • Red Hat Enterprise Linux Server from RHUI 6 x86_64
  • Red Hat Enterprise Linux Server from RHUI 6 i386
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386
  • Red Hat Enterprise Linux Server - TUS 6.5 x86_64

Fixes

  • BZ - 1135862 - CVE-2014-1562 Mozilla: Miscellaneous memory safety hazards (rv:rv:24.8) (MFSA 2014-67)
  • BZ - 1135869 - CVE-2014-1567 Mozilla: Use-after-free setting text directionality (MFSA 2014-72)

CVEs

References

Red Hat Enterprise Linux Server 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9
i386
thunderbird-24.8.0-1.el6_5.i686.rpm SHA-256: 585f557c3c8ac34fb3756ff2993261da3825edfada75d6c8573a22d660231793
thunderbird-debuginfo-24.8.0-1.el6_5.i686.rpm SHA-256: 28dda16a23bfb6354cde1eada9319d8a396663569bf382761aebeab347a5beb5

Red Hat Enterprise Linux Server 5

SRPM
thunderbird-24.8.0-1.el5_10.src.rpm SHA-256: bd5ee7c5e9e27eb1dca4f71df2b2fef557d4db0fa97545d5d47b54af6260e2c0
x86_64
thunderbird-24.8.0-1.el5_10.x86_64.rpm SHA-256: 98aa7f40f81b8cf8fe84f0b68f1c1ea03ea42f367b19a6eda361886a8d600ca8
thunderbird-debuginfo-24.8.0-1.el5_10.x86_64.rpm SHA-256: 43704c02861de5d2adf61990e30d2dfc04f0e95bb561f9fcdaa8f308c17cbca4
i386
thunderbird-24.8.0-1.el5_10.i386.rpm SHA-256: 069d37c7bd29ef6b898af05e5dd451f3060dfb3a643975a9bd4de0f1d498f5a5
thunderbird-debuginfo-24.8.0-1.el5_10.i386.rpm SHA-256: ebd5a1d8d3788a4d95411e6d424af96fd710ee11bd7d83ff92e70cde205e5de8

Red Hat Enterprise Linux Server - Extended Update Support 6.5

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9
i386
thunderbird-24.8.0-1.el6_5.i686.rpm SHA-256: 585f557c3c8ac34fb3756ff2993261da3825edfada75d6c8573a22d660231793
thunderbird-debuginfo-24.8.0-1.el6_5.i686.rpm SHA-256: 28dda16a23bfb6354cde1eada9319d8a396663569bf382761aebeab347a5beb5

Red Hat Enterprise Linux Server - AUS 6.5

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9

Red Hat Enterprise Linux Workstation 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9
i386
thunderbird-24.8.0-1.el6_5.i686.rpm SHA-256: 585f557c3c8ac34fb3756ff2993261da3825edfada75d6c8573a22d660231793
thunderbird-debuginfo-24.8.0-1.el6_5.i686.rpm SHA-256: 28dda16a23bfb6354cde1eada9319d8a396663569bf382761aebeab347a5beb5

Red Hat Enterprise Linux Workstation 5

SRPM
thunderbird-24.8.0-1.el5_10.src.rpm SHA-256: bd5ee7c5e9e27eb1dca4f71df2b2fef557d4db0fa97545d5d47b54af6260e2c0
x86_64
thunderbird-24.8.0-1.el5_10.x86_64.rpm SHA-256: 98aa7f40f81b8cf8fe84f0b68f1c1ea03ea42f367b19a6eda361886a8d600ca8
thunderbird-debuginfo-24.8.0-1.el5_10.x86_64.rpm SHA-256: 43704c02861de5d2adf61990e30d2dfc04f0e95bb561f9fcdaa8f308c17cbca4
i386
thunderbird-24.8.0-1.el5_10.i386.rpm SHA-256: 069d37c7bd29ef6b898af05e5dd451f3060dfb3a643975a9bd4de0f1d498f5a5
thunderbird-debuginfo-24.8.0-1.el5_10.i386.rpm SHA-256: ebd5a1d8d3788a4d95411e6d424af96fd710ee11bd7d83ff92e70cde205e5de8

Red Hat Enterprise Linux Desktop 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9
i386
thunderbird-24.8.0-1.el6_5.i686.rpm SHA-256: 585f557c3c8ac34fb3756ff2993261da3825edfada75d6c8573a22d660231793
thunderbird-debuginfo-24.8.0-1.el6_5.i686.rpm SHA-256: 28dda16a23bfb6354cde1eada9319d8a396663569bf382761aebeab347a5beb5

Red Hat Enterprise Linux Desktop 5

SRPM
thunderbird-24.8.0-1.el5_10.src.rpm SHA-256: bd5ee7c5e9e27eb1dca4f71df2b2fef557d4db0fa97545d5d47b54af6260e2c0
x86_64
thunderbird-24.8.0-1.el5_10.x86_64.rpm SHA-256: 98aa7f40f81b8cf8fe84f0b68f1c1ea03ea42f367b19a6eda361886a8d600ca8
thunderbird-debuginfo-24.8.0-1.el5_10.x86_64.rpm SHA-256: 43704c02861de5d2adf61990e30d2dfc04f0e95bb561f9fcdaa8f308c17cbca4
i386
thunderbird-24.8.0-1.el5_10.i386.rpm SHA-256: 069d37c7bd29ef6b898af05e5dd451f3060dfb3a643975a9bd4de0f1d498f5a5
thunderbird-debuginfo-24.8.0-1.el5_10.i386.rpm SHA-256: ebd5a1d8d3788a4d95411e6d424af96fd710ee11bd7d83ff92e70cde205e5de8

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
s390x
thunderbird-24.8.0-1.el6_5.s390x.rpm SHA-256: 6d49f9c6e9e45d44b0759ef9c6080d7e5e65e2f8875fb4fc855dd7b9c1ccfe93
thunderbird-debuginfo-24.8.0-1.el6_5.s390x.rpm SHA-256: 579f263a9c56cd94ffcf1390497df4f219f7d1fc9e19ef92079d277fa6736f50

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.5

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
s390x
thunderbird-24.8.0-1.el6_5.s390x.rpm SHA-256: 6d49f9c6e9e45d44b0759ef9c6080d7e5e65e2f8875fb4fc855dd7b9c1ccfe93
thunderbird-debuginfo-24.8.0-1.el6_5.s390x.rpm SHA-256: 579f263a9c56cd94ffcf1390497df4f219f7d1fc9e19ef92079d277fa6736f50

Red Hat Enterprise Linux for Power, big endian 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
ppc64
thunderbird-24.8.0-1.el6_5.ppc64.rpm SHA-256: 2ec3180a1208bd56d6c91402b79620726405190a183f22709ddbad01c27c67ef
thunderbird-debuginfo-24.8.0-1.el6_5.ppc64.rpm SHA-256: be3d32f26668e6e31cb2c0a70ab47dd73ffd67b51ef07d01004b72fb24e89ea0

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.5

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
ppc64
thunderbird-24.8.0-1.el6_5.ppc64.rpm SHA-256: 2ec3180a1208bd56d6c91402b79620726405190a183f22709ddbad01c27c67ef
thunderbird-debuginfo-24.8.0-1.el6_5.ppc64.rpm SHA-256: be3d32f26668e6e31cb2c0a70ab47dd73ffd67b51ef07d01004b72fb24e89ea0

Red Hat Enterprise Linux Server from RHUI 6

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9
i386
thunderbird-24.8.0-1.el6_5.i686.rpm SHA-256: 585f557c3c8ac34fb3756ff2993261da3825edfada75d6c8573a22d660231793
thunderbird-debuginfo-24.8.0-1.el6_5.i686.rpm SHA-256: 28dda16a23bfb6354cde1eada9319d8a396663569bf382761aebeab347a5beb5

Red Hat Enterprise Linux Server from RHUI 5

SRPM
thunderbird-24.8.0-1.el5_10.src.rpm SHA-256: bd5ee7c5e9e27eb1dca4f71df2b2fef557d4db0fa97545d5d47b54af6260e2c0
x86_64
thunderbird-24.8.0-1.el5_10.x86_64.rpm SHA-256: 98aa7f40f81b8cf8fe84f0b68f1c1ea03ea42f367b19a6eda361886a8d600ca8
thunderbird-debuginfo-24.8.0-1.el5_10.x86_64.rpm SHA-256: 43704c02861de5d2adf61990e30d2dfc04f0e95bb561f9fcdaa8f308c17cbca4
i386
thunderbird-24.8.0-1.el5_10.i386.rpm SHA-256: 069d37c7bd29ef6b898af05e5dd451f3060dfb3a643975a9bd4de0f1d498f5a5
thunderbird-debuginfo-24.8.0-1.el5_10.i386.rpm SHA-256: ebd5a1d8d3788a4d95411e6d424af96fd710ee11bd7d83ff92e70cde205e5de8

Red Hat Enterprise Linux Server - TUS 6.5

SRPM
thunderbird-24.8.0-1.el6_5.src.rpm SHA-256: 5d002268843b353920dc25908d15a789fa4f795f466c109eafd9cb130fa2a88f
x86_64
thunderbird-24.8.0-1.el6_5.x86_64.rpm SHA-256: d69f8c420504a7a9cc7b1aca0fe3007acab37d2858f429835926b3f595654fa0
thunderbird-debuginfo-24.8.0-1.el6_5.x86_64.rpm SHA-256: b21565b306e074449def7528430dafbad5838fc07b1852ba9c96d7319d6516c9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.