- Issued:
- 2019-07-16
- Updated:
- 2019-07-16
RHSA-2019:1799 - Security Advisory
Synopsis
Important: thunderbird security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for thunderbird is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 60.8.0.
Security Fix(es):
- Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 (CVE-2019-11709)
- Mozilla: Sandbox escape via installation of malicious language pack (CVE-2019-9811)
- Mozilla: Script injection within domain through inner window reuse (CVE-2019-11711)
- Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (CVE-2019-11712)
- Mozilla: Use-after-free with HTTP/2 cached stream (CVE-2019-11713)
- Mozilla: HTML parsing error can contribute to content XSS (CVE-2019-11715)
- Mozilla: Caret character improperly escaped in origins (CVE-2019-11717)
- Mozilla: Same-origin policy treats all files in a directory as having the same-origin (CVE-2019-11730)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Thunderbird fails to authenticate with gmail with ssl/tls and OAuth2 (BZ#1725919)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to take effect.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Fixes
- BZ - 1725919 - Thunderbird fails to authenticate with gmail with ssl/tls and OAuth2
- BZ - 1728430 - CVE-2019-11709 Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
- BZ - 1728431 - CVE-2019-11711 Mozilla: Script injection within domain through inner window reuse
- BZ - 1728432 - CVE-2019-11712 Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
- BZ - 1728433 - CVE-2019-11713 Mozilla: Use-after-free with HTTP/2 cached stream
- BZ - 1728434 - CVE-2019-11715 Mozilla: HTML parsing error can contribute to content XSS
- BZ - 1728435 - CVE-2019-11717 Mozilla: Caret character improperly escaped in origins
- BZ - 1728438 - CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
- BZ - 1728439 - CVE-2019-9811 Mozilla: Sandbox escape via installation of malicious language pack
CVEs
- CVE-2019-9811
- CVE-2019-11709
- CVE-2019-11711
- CVE-2019-11712
- CVE-2019-11713
- CVE-2019-11715
- CVE-2019-11717
- CVE-2019-11730
References
Red Hat Enterprise Linux for x86_64 8
| SRPM | |
|---|---|
| thunderbird-60.8.0-1.el8_0.src.rpm | SHA-256: 5bf70d5344ed3967970a1a533131f2057e3424e68312ee0343e8012e45bab47a |
| x86_64 | |
| thunderbird-60.8.0-1.el8_0.x86_64.rpm | SHA-256: 96f1a8e3933f8f6dfd09a041f98acac26680b71e5e499aee0a9a2fdee6adcc0d |
| thunderbird-debuginfo-60.8.0-1.el8_0.x86_64.rpm | SHA-256: d0115888435c6d672fdd195b33d6f3a43b0d920d7df2e158f13ffaa9af3f8361 |
| thunderbird-debugsource-60.8.0-1.el8_0.x86_64.rpm | SHA-256: 87da68c273e8418a47254a38d1d3ced0d8892c6d765a97c1232a42ee8ee35731 |
Red Hat Enterprise Linux for Power, little endian 8
| SRPM | |
|---|---|
| thunderbird-60.8.0-1.el8_0.src.rpm | SHA-256: 5bf70d5344ed3967970a1a533131f2057e3424e68312ee0343e8012e45bab47a |
| ppc64le | |
| thunderbird-60.8.0-1.el8_0.ppc64le.rpm | SHA-256: 251bd1292cff641f33ebbab778bf9f43bf1734238c5c983a9821360ce550f5ad |
| thunderbird-debuginfo-60.8.0-1.el8_0.ppc64le.rpm | SHA-256: 3655c1ae8c0f214e0cb7fd553bcd635616da68a053fc0bce7f93d40dffb27465 |
| thunderbird-debugsource-60.8.0-1.el8_0.ppc64le.rpm | SHA-256: 2b54a66ebadf5821732a0cd9d84006e9feb7902409abbe6b3ade3a5c495b31be |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.