Red Hat Product Errata RHSA-2020:0292 - Security Advisory

Issued:: 2020-01-30
Updated:: 2020-01-30

RHSA-2020:0292 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.4.1.

Security Fix(es):

Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement (CVE-2019-17026)
Mozilla: Use-after-free in worker destruction (CVE-2019-17008)
Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (CVE-2019-17012)
Mozilla: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016)
Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017)
Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 (CVE-2019-17024)
Mozilla: Buffer overflow in plain text serializer (CVE-2019-17005)
Mozilla: Use-after-free when performing device orientation checks (CVE-2019-17010)
Mozilla: Use-after-free when retrieving a document in antitracking (CVE-2019-17011)
Mozilla: CSS sanitization does not escape HTML tags (CVE-2019-17022)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.0 ppc64le
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.0 x86_64

Fixes

BZ - 1779431 - CVE-2019-17008 Mozilla: Use-after-free in worker destruction
BZ - 1779434 - CVE-2019-17010 Mozilla: Use-after-free when performing device orientation checks
BZ - 1779435 - CVE-2019-17005 Mozilla: Buffer overflow in plain text serializer
BZ - 1779436 - CVE-2019-17011 Mozilla: Use-after-free when retrieving a document in antitracking
BZ - 1779437 - CVE-2019-17012 Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
BZ - 1788723 - CVE-2019-17016 Mozilla: Bypass of @namespace CSS sanitization during pasting
BZ - 1788724 - CVE-2019-17017 Mozilla: Type Confusion in XPCVariant.cpp
BZ - 1788726 - CVE-2019-17022 Mozilla: CSS sanitization does not escape HTML tags
BZ - 1788727 - CVE-2019-17024 Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
BZ - 1789214 - CVE-2019-17026 Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

CVEs

References

https://access.redhat.com/security/updates/classification/#important

https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/

https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.0

SRPM
thunderbird-68.4.1-2.el8_0.src.rpm	SHA-256: 47d7d04ffa09c656035fc7944cb9f80b891705642c479aaebaabde72b0e0799c
ppc64le
thunderbird-68.4.1-2.el8_0.ppc64le.rpm	SHA-256: d10912f66fc2d69df0ae0eb8072af966f35badd805a1ce928206d5a21fc5d733
thunderbird-debuginfo-68.4.1-2.el8_0.ppc64le.rpm	SHA-256: 7a82c1dc6402b37c7897f45efb9e47082fe4ecdcfab0379a50248dd162db31ef
thunderbird-debugsource-68.4.1-2.el8_0.ppc64le.rpm	SHA-256: a765242fcf8a2f6c0b5541aa08c5ca890bfca4d12e63b1d81e121b168aa79ede

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.0

SRPM
thunderbird-68.4.1-2.el8_0.src.rpm	SHA-256: 47d7d04ffa09c656035fc7944cb9f80b891705642c479aaebaabde72b0e0799c
x86_64
thunderbird-68.4.1-2.el8_0.x86_64.rpm	SHA-256: 57a33391803b0168b7ed740f9d7c15e0cfb83a43f4c801457425ab352df58073
thunderbird-debuginfo-68.4.1-2.el8_0.x86_64.rpm	SHA-256: 653ba7500f42d395e2e375ff0a6a36439bfe52b06fdbdf3580de33e8e9770e42
thunderbird-debugsource-68.4.1-2.el8_0.x86_64.rpm	SHA-256: 04097c9ccefb8af8b01dd5515e649f038a65cefaeafb788d58dc48e8df5d3781

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories