Red Hat Product Errata RHSA-2023:0461 - Security Advisory
Issued:
2023-01-25
Updated:
2023-01-25

RHSA-2023:0461 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

  • Mozilla: libusrsctp library out of date (CVE-2022-46871)
  • Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
  • Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
  • Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
  • Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
  • Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
  • Mozilla: Fullscreen notification bypass (CVE-2022-46877)
  • Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date
  • BZ - 2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux
  • BZ - 2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output
  • BZ - 2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation
  • BZ - 2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
  • BZ - 2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass
  • BZ - 2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
  • BZ - 2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
x86_64
thunderbird-102.7.1-1.el9_0.x86_64.rpm SHA-256: b6654108b577b9e2cf460745d0a9b6638fa537da2bdb571a61b1c7e227ef75af
thunderbird-debuginfo-102.7.1-1.el9_0.x86_64.rpm SHA-256: 349990e93730af3494cb713e5f3aff3db64d4a8d3e28a7699c2aef35832aaf46
thunderbird-debugsource-102.7.1-1.el9_0.x86_64.rpm SHA-256: a50e84464ca7496cf31507771d9c43d9952bf706119d3f4c24cdbba29e107930

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
s390x
thunderbird-102.7.1-1.el9_0.s390x.rpm SHA-256: fdcf04f50a9ce51a605cbc40f3499367f547850c46ae0557035647b8e8b212d3
thunderbird-debuginfo-102.7.1-1.el9_0.s390x.rpm SHA-256: 3b50b4eb0c20ec159596932a0c67e948de0ac8fe2125e9cc896430a79837a089
thunderbird-debugsource-102.7.1-1.el9_0.s390x.rpm SHA-256: a1c0d0603a4a4e5d93443a72bdf07b634b220d4acc720e795b9c89f0d3570da4

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
ppc64le
thunderbird-102.7.1-1.el9_0.ppc64le.rpm SHA-256: c587cb1549be546313618da3f6e5ddcd123be00d68078301c434a6390ee148ed
thunderbird-debuginfo-102.7.1-1.el9_0.ppc64le.rpm SHA-256: e624c056bf417e87a7c6b98ea8212b3949f249ad761b2dbc744b292cb3ae1039
thunderbird-debugsource-102.7.1-1.el9_0.ppc64le.rpm SHA-256: abc1e90f02fd2c2c7dd25f0990038f2c6a809bad37619baa50149972bc52873b

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
aarch64
thunderbird-102.7.1-1.el9_0.aarch64.rpm SHA-256: c6b39f815e7590de271b44429393460c357e62093fe83c8291c8a3c2474917ec
thunderbird-debuginfo-102.7.1-1.el9_0.aarch64.rpm SHA-256: 39eddeba5b01812d98245f38d2a93873c3abd5f0d077a840784585af7b684f0b
thunderbird-debugsource-102.7.1-1.el9_0.aarch64.rpm SHA-256: 5bf894c39f1db04e71eae56647bb4eb4a1a74013934c9a2c2f39686e59ee8605

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
ppc64le
thunderbird-102.7.1-1.el9_0.ppc64le.rpm SHA-256: c587cb1549be546313618da3f6e5ddcd123be00d68078301c434a6390ee148ed
thunderbird-debuginfo-102.7.1-1.el9_0.ppc64le.rpm SHA-256: e624c056bf417e87a7c6b98ea8212b3949f249ad761b2dbc744b292cb3ae1039
thunderbird-debugsource-102.7.1-1.el9_0.ppc64le.rpm SHA-256: abc1e90f02fd2c2c7dd25f0990038f2c6a809bad37619baa50149972bc52873b

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
x86_64
thunderbird-102.7.1-1.el9_0.x86_64.rpm SHA-256: b6654108b577b9e2cf460745d0a9b6638fa537da2bdb571a61b1c7e227ef75af
thunderbird-debuginfo-102.7.1-1.el9_0.x86_64.rpm SHA-256: 349990e93730af3494cb713e5f3aff3db64d4a8d3e28a7699c2aef35832aaf46
thunderbird-debugsource-102.7.1-1.el9_0.x86_64.rpm SHA-256: a50e84464ca7496cf31507771d9c43d9952bf706119d3f4c24cdbba29e107930

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
aarch64
thunderbird-102.7.1-1.el9_0.aarch64.rpm SHA-256: c6b39f815e7590de271b44429393460c357e62093fe83c8291c8a3c2474917ec
thunderbird-debuginfo-102.7.1-1.el9_0.aarch64.rpm SHA-256: 39eddeba5b01812d98245f38d2a93873c3abd5f0d077a840784585af7b684f0b
thunderbird-debugsource-102.7.1-1.el9_0.aarch64.rpm SHA-256: 5bf894c39f1db04e71eae56647bb4eb4a1a74013934c9a2c2f39686e59ee8605

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
thunderbird-102.7.1-1.el9_0.src.rpm SHA-256: 3aa82285ef2dc76f27dcd9885cfd2350523fe8b72f67ebf5023263012af90108
s390x
thunderbird-102.7.1-1.el9_0.s390x.rpm SHA-256: fdcf04f50a9ce51a605cbc40f3499367f547850c46ae0557035647b8e8b212d3
thunderbird-debuginfo-102.7.1-1.el9_0.s390x.rpm SHA-256: 3b50b4eb0c20ec159596932a0c67e948de0ac8fe2125e9cc896430a79837a089
thunderbird-debugsource-102.7.1-1.el9_0.s390x.rpm SHA-256: a1c0d0603a4a4e5d93443a72bdf07b634b220d4acc720e795b9c89f0d3570da4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.