Issued:: 2022-06-30
Updated:: 2022-06-30

RHSA-2022:5470 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.11.

Security Fix(es):

Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (CVE-2022-34468)
Mozilla: Use-after-free in nsSHistory (CVE-2022-34470)
Mozilla: A popup window could be resized in a way to overlay the address bar with web content (CVE-2022-34479)
Mozilla: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (CVE-2022-34484)
Mozilla: Undesired attributes could be set as part of prototype pollution (CVE-2022-2200)
Mozilla: An email with a mismatching OpenPGP signature date was accepted as valid (CVE-2022-2226)
Mozilla: CSP bypass enabling stylesheet injection (CVE-2022-31744)
Mozilla: Unavailable PAC file resulted in OCSP requests being blocked (CVE-2022-34472)
Mozilla: Potential integer overflow in ReplaceElementsAt (CVE-2022-34481)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64
Red Hat Enterprise Linux Server - AUS 8.6 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
Red Hat Enterprise Linux Server - TUS 8.8 x86_64
Red Hat Enterprise Linux Server - TUS 8.6 x86_64
Red Hat Enterprise Linux for ARM 64 8 aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

BZ - 2102161 - CVE-2022-34479 Mozilla: A popup window could be resized in a way to overlay the address bar with web content
BZ - 2102162 - CVE-2022-34470 Mozilla: Use-after-free in nsSHistory
BZ - 2102163 - CVE-2022-34468 Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
BZ - 2102164 - CVE-2022-34481 Mozilla: Potential integer overflow in ReplaceElementsAt
BZ - 2102165 - CVE-2022-31744 Mozilla: CSP bypass enabling stylesheet injection
BZ - 2102166 - CVE-2022-34472 Mozilla: Unavailable PAC file resulted in OCSP requests being blocked
BZ - 2102168 - CVE-2022-2200 Mozilla: Undesired attributes could be set as part of prototype pollution
BZ - 2102169 - CVE-2022-34484 Mozilla: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
BZ - 2102204 - CVE-2022-2226 Mozilla: An email with a mismatching OpenPGP signature date was accepted as valid

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux Server - AUS 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
s390x
thunderbird-91.11.0-2.el8_6.s390x.rpm	SHA-256: 402d13f1a2bb0f3c5723e23e6253a89057d42d69d4fd6adae9fb257d0c8b5568
thunderbird-debuginfo-91.11.0-2.el8_6.s390x.rpm	SHA-256: fd6cc752afff9974f3f9d2fa36eeaaffe3765fb2d1fdfd5cc41fad1d67a22d6a
thunderbird-debugsource-91.11.0-2.el8_6.s390x.rpm	SHA-256: cfb10440cec26efc3457e1a21cdbf871ea96fe22099c0e6f4d902e7922c57285

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
s390x
thunderbird-91.11.0-2.el8_6.s390x.rpm	SHA-256: 402d13f1a2bb0f3c5723e23e6253a89057d42d69d4fd6adae9fb257d0c8b5568
thunderbird-debuginfo-91.11.0-2.el8_6.s390x.rpm	SHA-256: fd6cc752afff9974f3f9d2fa36eeaaffe3765fb2d1fdfd5cc41fad1d67a22d6a
thunderbird-debugsource-91.11.0-2.el8_6.s390x.rpm	SHA-256: cfb10440cec26efc3457e1a21cdbf871ea96fe22099c0e6f4d902e7922c57285

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
s390x
thunderbird-91.11.0-2.el8_6.s390x.rpm	SHA-256: 402d13f1a2bb0f3c5723e23e6253a89057d42d69d4fd6adae9fb257d0c8b5568
thunderbird-debuginfo-91.11.0-2.el8_6.s390x.rpm	SHA-256: fd6cc752afff9974f3f9d2fa36eeaaffe3765fb2d1fdfd5cc41fad1d67a22d6a
thunderbird-debugsource-91.11.0-2.el8_6.s390x.rpm	SHA-256: cfb10440cec26efc3457e1a21cdbf871ea96fe22099c0e6f4d902e7922c57285

Red Hat Enterprise Linux for Power, little endian 8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
ppc64le
thunderbird-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 2955020abf183763911654a81cbd355588dc93399915996afe3d771998b8d7af
thunderbird-debuginfo-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: de1852389aa5599da9d6599f70ce3ac577f1a6ea79e8c2d201ab5e8c2076a683
thunderbird-debugsource-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 1c69e187463a7433f81d2184a8a735ef142c380d5a4767c295312e8e54725e9c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
ppc64le
thunderbird-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 2955020abf183763911654a81cbd355588dc93399915996afe3d771998b8d7af
thunderbird-debuginfo-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: de1852389aa5599da9d6599f70ce3ac577f1a6ea79e8c2d201ab5e8c2076a683
thunderbird-debugsource-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 1c69e187463a7433f81d2184a8a735ef142c380d5a4767c295312e8e54725e9c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
ppc64le
thunderbird-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 2955020abf183763911654a81cbd355588dc93399915996afe3d771998b8d7af
thunderbird-debuginfo-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: de1852389aa5599da9d6599f70ce3ac577f1a6ea79e8c2d201ab5e8c2076a683
thunderbird-debugsource-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 1c69e187463a7433f81d2184a8a735ef142c380d5a4767c295312e8e54725e9c

Red Hat Enterprise Linux Server - TUS 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux Server - TUS 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for ARM 64 8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
aarch64
thunderbird-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 9c07cc764378fa93ba038d00be23478168279ef2f0f6837050985e4cc038359e
thunderbird-debuginfo-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 55a72af4c46fe091b4244d6df7703d999e037d773d8ac52afce6763abb7eedb8
thunderbird-debugsource-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 6b24cc53f766a86a361c3e8b4ecc4f84e21f7411bf118f97fe52c7aa448b1953

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
aarch64
thunderbird-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 9c07cc764378fa93ba038d00be23478168279ef2f0f6837050985e4cc038359e
thunderbird-debuginfo-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 55a72af4c46fe091b4244d6df7703d999e037d773d8ac52afce6763abb7eedb8
thunderbird-debugsource-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 6b24cc53f766a86a361c3e8b4ecc4f84e21f7411bf118f97fe52c7aa448b1953

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
aarch64
thunderbird-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 9c07cc764378fa93ba038d00be23478168279ef2f0f6837050985e4cc038359e
thunderbird-debuginfo-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 55a72af4c46fe091b4244d6df7703d999e037d773d8ac52afce6763abb7eedb8
thunderbird-debugsource-91.11.0-2.el8_6.aarch64.rpm	SHA-256: 6b24cc53f766a86a361c3e8b4ecc4f84e21f7411bf118f97fe52c7aa448b1953

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
ppc64le
thunderbird-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 2955020abf183763911654a81cbd355588dc93399915996afe3d771998b8d7af
thunderbird-debuginfo-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: de1852389aa5599da9d6599f70ce3ac577f1a6ea79e8c2d201ab5e8c2076a683
thunderbird-debugsource-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 1c69e187463a7433f81d2184a8a735ef142c380d5a4767c295312e8e54725e9c

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
ppc64le
thunderbird-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 2955020abf183763911654a81cbd355588dc93399915996afe3d771998b8d7af
thunderbird-debuginfo-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: de1852389aa5599da9d6599f70ce3ac577f1a6ea79e8c2d201ab5e8c2076a683
thunderbird-debugsource-91.11.0-2.el8_6.ppc64le.rpm	SHA-256: 1c69e187463a7433f81d2184a8a735ef142c380d5a4767c295312e8e54725e9c

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM
thunderbird-91.11.0-2.el8_6.src.rpm	SHA-256: 92c3da9716489d68e8ef1cd37944be283d0f0678ba64dbca1ca58ff11c132c2d
x86_64
thunderbird-91.11.0-2.el8_6.x86_64.rpm	SHA-256: d9ce098fc9b4816b34a8172284cda32bf51d596cf0c9288b9ec9522010df359c
thunderbird-debuginfo-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 623abbf0196f8fcb70da41f14c77d58e0f872fa8fab01c042922323aae463b7e
thunderbird-debugsource-91.11.0-2.el8_6.x86_64.rpm	SHA-256: 22d62022652edb4389a0dc838e905eab4f51b48b1e2153b3804447e1fd4f6551

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.