Issued:
2022-11-21
Updated:
2022-11-21

RHSA-2022:8561 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

  • Mozilla: Service Workers might have learned size of cross-origin media files (CVE-2022-45403)
  • Mozilla: Fullscreen notification bypass (CVE-2022-45404)
  • Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)
  • Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)
  • Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)
  • Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)
  • Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 (CVE-2022-45421)
  • Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy (CVE-2022-45410)
  • Mozilla: Cross-Site Tracing was possible via non-standard override headers (CVE-2022-45411)
  • Mozilla: Symlinks may resolve to partially uninitialized buffers (CVE-2022-45412)
  • Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)
  • Mozilla: Custom mouse cursor could have been drawn over browser UI (CVE-2022-45418)
  • Mozilla: Iframe contents could be rendered outside the iframe (CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files
  • BZ - 2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass
  • BZ - 2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation
  • BZ - 2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm
  • BZ - 2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName
  • BZ - 2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection
  • BZ - 2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
  • BZ - 2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers
  • BZ - 2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers
  • BZ - 2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage
  • BZ - 2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI
  • BZ - 2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe
  • BZ - 2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

Red Hat Enterprise Linux for x86_64 9

SRPM
thunderbird-102.5.0-2.el9_1.src.rpm SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c
x86_64
thunderbird-102.5.0-2.el9_1.x86_64.rpm SHA-256: 70b6eebb386c9eb020625c9780e9e575eb148ab24936c165e55e9fc95c697cff
thunderbird-debuginfo-102.5.0-2.el9_1.x86_64.rpm SHA-256: 5cad7b166fe1c17f212715e592368e246b5dda584ac54aed93088a3839e0aa4d
thunderbird-debugsource-102.5.0-2.el9_1.x86_64.rpm SHA-256: cd71bbf884ca097133417982d0c8fb8c46337bfb610d5c91660c6f2219c23640

Red Hat Enterprise Linux for IBM z Systems 9

SRPM
thunderbird-102.5.0-2.el9_1.src.rpm SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c
s390x
thunderbird-102.5.0-2.el9_1.s390x.rpm SHA-256: 983aeb700304f1b5721c132cf8f630374b2b74a9a40e1b9aaba1ed862ff3a697
thunderbird-debuginfo-102.5.0-2.el9_1.s390x.rpm SHA-256: e1cbde81ef158b577194e2d0f35afe34731773c7331907f3f8bb26289e4fc0f9
thunderbird-debugsource-102.5.0-2.el9_1.s390x.rpm SHA-256: 8e674898bf06b79a08831630f28fd72b9dd4da6f55ad657dcd36ac2801af4da0

Red Hat Enterprise Linux for Power, little endian 9

SRPM
thunderbird-102.5.0-2.el9_1.src.rpm SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c
ppc64le
thunderbird-102.5.0-2.el9_1.ppc64le.rpm SHA-256: ee77c89721799a4b8a71f31c56c7954f1e9faceca21b8aeea3dfa7e4a1dcc8a8
thunderbird-debuginfo-102.5.0-2.el9_1.ppc64le.rpm SHA-256: b6535c2da488533f177e3676c5271b79b88e83cf52a828892a2197d922694dbe
thunderbird-debugsource-102.5.0-2.el9_1.ppc64le.rpm SHA-256: 7f687085d541662362a89be5699452cc4f0136f7784250a69cdb9c095a78a2bb

Red Hat Enterprise Linux for ARM 64 9

SRPM
thunderbird-102.5.0-2.el9_1.src.rpm SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c
aarch64
thunderbird-102.5.0-2.el9_1.aarch64.rpm SHA-256: 6cedfac8f79fe89bffe1288bfc80502164a504ba381b123363a5fadb2a9a7e14
thunderbird-debuginfo-102.5.0-2.el9_1.aarch64.rpm SHA-256: 8855243382d1d825a03276c28b9ae072c49478aa13f0b978e64fd558008441f3
thunderbird-debugsource-102.5.0-2.el9_1.aarch64.rpm SHA-256: 80088b35459faad75bcffa52e85f2a41880b257be060255dc04f914b4fdfd02e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.