Issued:: 2024-06-20
Updated:: 2024-06-20

RHSA-2024:4001 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

thunderbird: Use-after-free in networking (CVE-2024-5702)
thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)
thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)
thunderbird: Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)
thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)
thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)
thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

BZ - 2291394 - CVE-2024-5702 Mozilla: Use-after-free in networking
BZ - 2291395 - CVE-2024-5688 Mozilla: Use-after-free in JavaScript object transplant
BZ - 2291396 - CVE-2024-5690 Mozilla: External protocol handlers leaked by timing attack
BZ - 2291397 - CVE-2024-5691 Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
BZ - 2291399 - CVE-2024-5693 Mozilla: Cross-Origin Image leak via Offscreen Canvas
BZ - 2291400 - CVE-2024-5696 Mozilla: Memory Corruption in Text Fragments
BZ - 2291401 - CVE-2024-5700 Mozilla: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
thunderbird-115.12.1-1.el8_2.src.rpm	SHA-256: fca97c50c2f082125b7d3f259552b905e316a45bcd066ad0b2236e5fdab79563
x86_64
thunderbird-115.12.1-1.el8_2.x86_64.rpm	SHA-256: 6e032f7293d6fe0cfb1f469dc040b17b020a4d2ee61bc8df93aae5fd818d062e
thunderbird-debuginfo-115.12.1-1.el8_2.x86_64.rpm	SHA-256: d762b6854678d677685b5b759b70ca5d55530f9e903ef4a2b816110c1464ed48
thunderbird-debugsource-115.12.1-1.el8_2.x86_64.rpm	SHA-256: 2cbc01a54b49f26943928dc1b33391d12dd1b04424d26e3db7b7275eff995c32

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation