Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 545
Alerts This Week
Warning Icon 1 545

Red Hat RHSA-2012:0080-01 Critical: Thunderbird Crash Issues

red hat
Calendar Grey January 31, 2012
Scroller Redhat Esm H88
Crucial enhancement for Thunderbird on Red Hat tackling several security vulnerabilities. Essential for ensuring system robustness and safeguarding data.
An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6

Solution

Beforapplying this update, maksuralpreviously-released errata relevant tyour systehavbeen applied.

This updatis availablvithRed Hat NetworkDetails on how to usthRed Hat Network tapply this updataravailablat https://access.redhat.com/kb/docs/DOC-11259

Summary

MozillThunderbird is standalonmaiand newsgrouclient.
A use-after-freflaw was found in thway Thunderbird removed nsDOMAttributchild nodesIn certain circumstances, dutthpremature notification of AttributeChildRemoved, malicious script could possibly usthis flaw tcausThunderbird tcrash or, potentially, execute arbitrary codwith thprivileges of thuser running Thunderbird. (CVE-2011-3659)
Severaflaws werfound in thprocessing of malformed contentAn HTML maimessagcontaining malicious content could causThunderbird tcrash or, potentially, executarbitrary codwith thprivileges of thuser running Thunderbird(CVE-2012-0442)
A flaw was found in thway Thunderbird parsed certain ScalablVector Graphics (SVG) imagfiles that contained eXtensiblStylSheet Language Transformations (XSLT)An HTML maimessagcontaining malicious SVG imagfilcould causThunderbird tcrash or, potentially, execute arbitrary codwith thprivileges of thuser running Thunderbird. (CVE-2012-0449)
Thsame-origin policy in Thunderbird treated and as interchangeableA malicious script could possibly usthis flaw tgain access tsensitivinformation (such as client's IP and user e-maiaddress, or httpOnly cookies) that may bincluded in HTTP proxy error replies, generated in responstinvalid URLs using squarbrackets(CVE-2011-3670)
Note: ThCVE-2011-3659 and CVE-2011-3670 issues cannot bexploited by a specially-crafted HTML maimessagas JavaScript is disabled by default for maimessagesIt could bexploited another way in Thunderbird, for example, when viewing thfulremotcontent of an RSS feed.
For technicadetails regarding thesflaws, refer tthMozillsecurity advisories for Thunderbird 3.1.18You can find link tthMozilla advisories in thReferences section of this erratum.
AlThunderbird users should upgradtthesupdated packages, which contain Thunderbird version 3.1.18, which corrects thesissuesAfter installing thupdate, Thunderbird must brestarted for thchanges to takeffect.

References

https://access.redhat.com/security/cve/CVE-2011-3659 https://access.redhat.com/security/cve/CVE-2011-3670 https://access.redhat.com/security/cve/CVE-2012-0442 https://access.redhat.com/security/cve/CVE-2012-0449 https://access.redhat.com/security/updates/classification#critical https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird-3.1/

Package List


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2012:0080-01
Product: Red Hat EnterprisLinux
Issudate: 2012-01-31

Topic

An updated thunderbird packagthat fixes multiplsecurity issues is nowavailablfor Red Hat EnterprisLinu6.ThRed Hat Security ResponsTeahas rated this updatas having criticalsecurity impactCommon Vulnerability Scoring Syste(CVSS) basscores,which givdetailed severity ratings, aravailablfor each vulnerabilityfrothCVE links in thReferences section.

Relevant Releases Architectures

Red Hat EnterprisLinuDeskto(v6) - i386, x86_64

Red Hat EnterprisLinuServer Optiona(v6) - i386, ppc64, s390x, x86_64

Red Hat EnterprisLinuWorkstation (v6) - i386, x86_64

Bugs Fixed

785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01)

785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-likhostnamsynta(MFSA 2012-02)

785966 - CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08)

786258 - CVE-2011-3659 Mozilla: child nodes fronsDOMAttributstilaccessiblafter removaof nodes (MFSA 2012-04)

6PackagList:

Red Hat EnterprisLinuDeskto(v6):

Source:

i386:

thunderbird-3.1.18-1.el6_2.i686.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm

x86_64:

thunderbird-3.1.18-1.el6_2.x86_64.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm

Red Hat EnterprisLinuServer Optiona(v6):

Source:

i386:

thunderbird-3.1.18-1.el6_2.i686.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm

ppc64:

thunderbird-3.1.18-1.el6_2.ppc64.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.ppc64.rpm

s390x:

thunderbird-3.1.18-1.el6_2.s390x.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.s390x.rpm

x86_64:

thunderbird-3.1.18-1.el6_2.x86_64.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm

Red Hat EnterprisLinuWorkstation (v6):

Source:

i386:

thunderbird-3.1.18-1.el6_2.i686.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm

x86_64:

thunderbird-3.1.18-1.el6_2.x86_64.rpm

thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.