Red Hat: 2012:0085-01: thunderbird: Critical Advisory

    Date31 Jan 2012
    CategoryRed Hat
    1745
    Posted ByJoe Shakespeare
    An updated thunderbird package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical [More...]
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Critical: thunderbird security update
    Advisory ID:       RHSA-2012:0085-01
    Product:           Red Hat Enterprise Linux
    Advisory URL:      https://rhn.redhat.com/errata/RHSA-2012-0085.html
    Issue date:        2012-02-01
    CVE Names:         CVE-2011-3670 CVE-2012-0442 
    =====================================================================
    
    1. Summary:
    
    An updated thunderbird package that fixes two security issues is now
    available for Red Hat Enterprise Linux 4 and 5.
    
    The Red Hat Security Response Team has rated this update as having critical
    security impact. Common Vulnerability Scoring System (CVSS) base scores,
    which give detailed severity ratings, are available for each vulnerability
    from the CVE links in the References section.
    
    2. Relevant releases/architectures:
    
    RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64
    Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
    Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
    Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
    Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
    Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
    
    3. Description:
    
    Mozilla Thunderbird is a standalone mail and newsgroup client.
    
    A flaw was found in the processing of malformed content. An HTML mail
    message containing malicious content could cause Thunderbird to crash or,
    potentially, execute arbitrary code with the privileges of the user running
    Thunderbird. (CVE-2012-0442)
    
    The same-origin policy in Thunderbird treated http://example.com and
    http://[example.com] as interchangeable. A malicious script could possibly
    use this flaw to gain access to sensitive information (such as a client's
    IP and user e-mail address, or httpOnly cookies) that may be included in
    HTTP proxy error replies, generated in response to invalid URLs using
    square brackets. (CVE-2011-3670)
    
    Note: The CVE-2011-3670 issue cannot be exploited by a specially-crafted
    HTML mail message as JavaScript is disabled by default for mail messages.
    It could be exploited another way in Thunderbird, for example, when viewing
    the full remote content of an RSS feed.
    
    All Thunderbird users should upgrade to this updated package, which
    resolves these issues. All running instances of Thunderbird must be
    restarted for the update to take effect.
    
    4. Solution:
    
    Before applying this update, make sure all previously-released errata
    relevant to your system have been applied.
    
    This update is available via the Red Hat Network. Details on how to
    use the Red Hat Network to apply this update are available at
    https://access.redhat.com/kb/docs/DOC-11259
    
    5. Bugs fixed (http://bugzilla.redhat.com/):
    
    785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01)
    785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02)
    
    6. Package List:
    
    Red Hat Enterprise Linux AS version 4:
    
    Source:
    ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm
    
    i386:
    thunderbird-1.5.0.12-46.el4.i386.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
    
    ia64:
    thunderbird-1.5.0.12-46.el4.ia64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
    
    ppc:
    thunderbird-1.5.0.12-46.el4.ppc.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.ppc.rpm
    
    s390:
    thunderbird-1.5.0.12-46.el4.s390.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.s390.rpm
    
    s390x:
    thunderbird-1.5.0.12-46.el4.s390x.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.s390x.rpm
    
    x86_64:
    thunderbird-1.5.0.12-46.el4.x86_64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
    
    Red Hat Enterprise Linux Desktop version 4:
    
    Source:
    ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm
    
    i386:
    thunderbird-1.5.0.12-46.el4.i386.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
    
    x86_64:
    thunderbird-1.5.0.12-46.el4.x86_64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
    
    Red Hat Enterprise Linux ES version 4:
    
    Source:
    ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm
    
    i386:
    thunderbird-1.5.0.12-46.el4.i386.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
    
    ia64:
    thunderbird-1.5.0.12-46.el4.ia64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
    
    x86_64:
    thunderbird-1.5.0.12-46.el4.x86_64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
    
    Red Hat Enterprise Linux WS version 4:
    
    Source:
    ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm
    
    i386:
    thunderbird-1.5.0.12-46.el4.i386.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm
    
    ia64:
    thunderbird-1.5.0.12-46.el4.ia64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm
    
    x86_64:
    thunderbird-1.5.0.12-46.el4.x86_64.rpm
    thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm
    
    Red Hat Enterprise Linux Desktop (v. 5 client):
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.24-28.el5_7.src.rpm
    
    i386:
    thunderbird-2.0.0.24-28.el5_7.i386.rpm
    thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm
    
    x86_64:
    thunderbird-2.0.0.24-28.el5_7.x86_64.rpm
    thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm
    
    RHEL Optional Productivity Applications (v. 5 server):
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.24-28.el5_7.src.rpm
    
    i386:
    thunderbird-2.0.0.24-28.el5_7.i386.rpm
    thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm
    
    x86_64:
    thunderbird-2.0.0.24-28.el5_7.x86_64.rpm
    thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and 
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/#package
    
    7. References:
    
    https://www.redhat.com/security/data/cve/CVE-2011-3670.html
    https://www.redhat.com/security/data/cve/CVE-2012-0442.html
    https://access.redhat.com/security/updates/classification/#critical
    
    8. Contact:
    
    The Red Hat security contact is .  More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2012 Red Hat, Inc.
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.