Red Hat Product Errata RHSA-2024:9019 - Security Advisory
Issued:
2024-11-07
Updated:
2024-11-07

RHSA-2024:9019 - Security Advisory

Synopsis

Moderate: thunderbird security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)
  • firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)
  • firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)
  • firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)
  • firefox: thunderbird: Clipboard "paste" button persisted across tabs (CVE-2024-10465)
  • firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)
  • firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)
  • firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)
  • firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2322424 - CVE-2024-10464 firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser
  • BZ - 2322425 - CVE-2024-10461 firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
  • BZ - 2322428 - CVE-2024-10458 firefox: thunderbird: Permission leak via embed or object elements
  • BZ - 2322429 - CVE-2024-10459 firefox: thunderbird: Use-after-free in layout with accessibility
  • BZ - 2322433 - CVE-2024-10467 firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
  • BZ - 2322434 - CVE-2024-10465 firefox: thunderbird: Clipboard "paste" button persisted across tabs
  • BZ - 2322438 - CVE-2024-10466 firefox: DOM push subscription message could hang Firefox
  • BZ - 2322439 - CVE-2024-10463 firefox: thunderbird: Cross origin video frame leak
  • BZ - 2322440 - CVE-2024-10462 firefox: thunderbird: Origin of permission prompt could be spoofed by long URL
  • BZ - 2322444 - CVE-2024-10460 firefox: thunderbird: Confusing display of origin for external protocol handler prompt

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
thunderbird-128.4.0-1.el9_0.src.rpm SHA-256: c66fedebbf1c2b12772cf54a46163bc6e0ae158d2e51daf0c3b4677ae971ee87
ppc64le
thunderbird-128.4.0-1.el9_0.ppc64le.rpm SHA-256: bdfc3279ce5f1376a7a950bded566dc9a1b6f7c46ee5471face983135a95953a
thunderbird-debuginfo-128.4.0-1.el9_0.ppc64le.rpm SHA-256: 54dcd3db7387629efa2b8de87d78aba6ff60b98eb24de531a4076fbbb1b6103d
thunderbird-debugsource-128.4.0-1.el9_0.ppc64le.rpm SHA-256: 0c5e217397463710847c7f34bfd7b68b5e4d6438fc49bc7b1a62f6e4c2298aed

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
thunderbird-128.4.0-1.el9_0.src.rpm SHA-256: c66fedebbf1c2b12772cf54a46163bc6e0ae158d2e51daf0c3b4677ae971ee87
x86_64
thunderbird-128.4.0-1.el9_0.x86_64.rpm SHA-256: 98463425bc001f3947a68ee68392ecdd90f3b77cc66785a096c886ca33ee00fe
thunderbird-debuginfo-128.4.0-1.el9_0.x86_64.rpm SHA-256: 664a11a5528764ffe275e5950f35fa1a23e0b5ec7ce5990308fd9ef475598f30
thunderbird-debugsource-128.4.0-1.el9_0.x86_64.rpm SHA-256: 8aa7fb27bea436108b2f86f67db74f4b20a657cc6d55e5227caf1bc2fa402245

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
thunderbird-128.4.0-1.el9_0.src.rpm SHA-256: c66fedebbf1c2b12772cf54a46163bc6e0ae158d2e51daf0c3b4677ae971ee87
aarch64
thunderbird-128.4.0-1.el9_0.aarch64.rpm SHA-256: 7a7fd211be2ac88aec99d8be72c8e6cc7f8f230b5720750ccee0452346c3fdb3
thunderbird-debuginfo-128.4.0-1.el9_0.aarch64.rpm SHA-256: d19063c66dd963c286b6a7b47617775f622980e5aec7659f0fa04a1f545ab7e0
thunderbird-debugsource-128.4.0-1.el9_0.aarch64.rpm SHA-256: c08e6a990dccd14870ce72d74d5bac2439632c87b0f6a1db0bcf7b5452bc6bce

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
thunderbird-128.4.0-1.el9_0.src.rpm SHA-256: c66fedebbf1c2b12772cf54a46163bc6e0ae158d2e51daf0c3b4677ae971ee87
s390x
thunderbird-128.4.0-1.el9_0.s390x.rpm SHA-256: ddc1c18390cc8671164ed130763a0ccb9659835e609c009e2449e8d698dec43e
thunderbird-debuginfo-128.4.0-1.el9_0.s390x.rpm SHA-256: 0f9889f77fe3640d8d7e3c725d9c5a16a6cf521f33f081362ca0ec4051de9fe3
thunderbird-debugsource-128.4.0-1.el9_0.s390x.rpm SHA-256: 95b6c378ecf81981fd70a9dc1a4d1be8174cbf19b04847f3c431002aadb7fc85

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.