RHSA-2024:4002 - Security Advisory

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

• thunderbird: Use-after-free in networking (CVE-2024-5702)
• thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)
• thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)
• thunderbird: Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)
• thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)
• thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)
• thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
• Red Hat Enterprise Linux Server - AUS 9.6 x86_64
• Red Hat Enterprise Linux Server - AUS 9.4 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
• Red Hat Enterprise Linux for ARM 64 9 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x

Fixes

• BZ - 2291394 - CVE-2024-5702 Mozilla: Use-after-free in networking
• BZ - 2291395 - CVE-2024-5688 Mozilla: Use-after-free in JavaScript object transplant
• BZ - 2291396 - CVE-2024-5690 Mozilla: External protocol handlers leaked by timing attack
• BZ - 2291397 - CVE-2024-5691 Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
• BZ - 2291399 - CVE-2024-5693 Mozilla: Cross-Origin Image leak via Offscreen Canvas
• BZ - 2291400 - CVE-2024-5696 Mozilla: Memory Corruption in Text Fragments
• BZ - 2291401 - CVE-2024-5700 Mozilla: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVEs

• CVE-2024-5688
• CVE-2024-5690
• CVE-2024-5691
• CVE-2024-5693
• CVE-2024-5696
• CVE-2024-5700
• CVE-2024-5702

References

• https://access.redhat.com/security/updates/classification/#important