Skip to navigation

Security Advisory Important: thunderbird security update

Advisory: RHSA-2012:1413-1
Type: Security Advisory
Severity: Important
Issued on: 2012-10-29
Last updated on: 2012-10-29
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.3.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-4194
CVE-2012-4195
CVE-2012-4196

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, bypass the same-origin policy, or cause Thunderbird to
execute arbitrary code. (CVE-2012-4194, CVE-2012-4195, CVE-2012-4196)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and Antoine
Delignat-Lavaud as the original reporters of these issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.10 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-10.0.10-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 44d8289c8db11598f73e926255106bd2
SHA-256: b3785539ca36d5167feb78120760c0c77ded0776ff682811c40d64072a85d418
 
IA-32:
thunderbird-10.0.10-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8858f09ac208611ca880ca5adbfc33d6
SHA-256: c08444e74d5ca9d9676f4a4568a745fa475c9b335f293f0f41f119069cefdabf
thunderbird-debuginfo-10.0.10-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8a931f94595da69c728af5f6c00b2ce8
SHA-256: 7e997b4e22b89499cc05c68ea2ff7691f9278b39343a1779e1baa62cdc3164ac
 
x86_64:
thunderbird-10.0.10-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 77c6fbf9b747ffe0d763ab2768667a57
SHA-256: 8255d4f5e9e3fb225173a3655ff58a3327ee436f1fd1c3abbcda47a976d42fbe
thunderbird-debuginfo-10.0.10-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1f231b72d715136db998dd5c3bdf1948
SHA-256: 69ee6df60704e189dd8d1fc0acc5acf54bf5c6ec5a387e06876efb0550980375
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-10.0.10-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 44d8289c8db11598f73e926255106bd2
SHA-256: b3785539ca36d5167feb78120760c0c77ded0776ff682811c40d64072a85d418
 
IA-32:
thunderbird-10.0.10-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8858f09ac208611ca880ca5adbfc33d6
SHA-256: c08444e74d5ca9d9676f4a4568a745fa475c9b335f293f0f41f119069cefdabf
thunderbird-debuginfo-10.0.10-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8a931f94595da69c728af5f6c00b2ce8
SHA-256: 7e997b4e22b89499cc05c68ea2ff7691f9278b39343a1779e1baa62cdc3164ac
 
x86_64:
thunderbird-10.0.10-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 77c6fbf9b747ffe0d763ab2768667a57
SHA-256: 8255d4f5e9e3fb225173a3655ff58a3327ee436f1fd1c3abbcda47a976d42fbe
thunderbird-debuginfo-10.0.10-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1f231b72d715136db998dd5c3bdf1948
SHA-256: 69ee6df60704e189dd8d1fc0acc5acf54bf5c6ec5a387e06876efb0550980375
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-10.0.10-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: a2706b0ea7963614b533e9423d0a1d87
SHA-256: 002539e21ae4ed87691d130dc0dc44984408e0b3f6adad2bf5060b1535bea6ad
 
IA-32:
thunderbird-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: fa97518bb7dd1ac6c51d49eca478f75a
SHA-256: 4ae9e576602deeadfe701ce01d0786e207085d359ec83aef66b815baed6d64ad
thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3c11121a4d382b1e85e1ee55074d36f5
SHA-256: b10ce3792441ef7c14d6e3502ff9aab011cc976a6b4af48ab851bb12a50f1daa
 
x86_64:
thunderbird-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 53afb3d3fb136e32c089553240ded08b
SHA-256: 79d59b358011dbe773c68639e14ce93590a9a520b95d760fcecd488cbd037c07
thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f899d23855e9ec71b6c3161b98061679
SHA-256: 9d3341fc3dc72e40e0a6e508bf597e23994427e5c3c7959a9f2df30ad60240f3
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-10.0.10-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: a2706b0ea7963614b533e9423d0a1d87
SHA-256: 002539e21ae4ed87691d130dc0dc44984408e0b3f6adad2bf5060b1535bea6ad
 
IA-32:
thunderbird-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: fa97518bb7dd1ac6c51d49eca478f75a
SHA-256: 4ae9e576602deeadfe701ce01d0786e207085d359ec83aef66b815baed6d64ad
thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3c11121a4d382b1e85e1ee55074d36f5
SHA-256: b10ce3792441ef7c14d6e3502ff9aab011cc976a6b4af48ab851bb12a50f1daa
 
PPC:
thunderbird-10.0.10-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: e8610d88a50877a8e5bb6c49bae7e180
SHA-256: a7159dd0a9deaefa0b8c36432806a9bc89ca0abe1f3645e2e18406a6fa3faf54
thunderbird-debuginfo-10.0.10-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 11444c8c698e67186b5a188129517754
SHA-256: 62f925579502a2c198451c20fa68cb0c89fa68e3fb64a9f162617a527e996662
 
s390x:
thunderbird-10.0.10-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: e811d5e28e07593cc8728c1ad4f1c365
SHA-256: d24ab731c4f8d01ea386ab4f6142a34c2cf229681cb7bdbe9c7ce4bef17e444c
thunderbird-debuginfo-10.0.10-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: a346f40aef9191167c5bf7b0122f8cd4
SHA-256: 146e2f6dea4ded8d1b7f8a68ccd3e994f1c9c0bec3abbfe807b3ce9039d08466
 
x86_64:
thunderbird-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 53afb3d3fb136e32c089553240ded08b
SHA-256: 79d59b358011dbe773c68639e14ce93590a9a520b95d760fcecd488cbd037c07
thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f899d23855e9ec71b6c3161b98061679
SHA-256: 9d3341fc3dc72e40e0a6e508bf597e23994427e5c3c7959a9f2df30ad60240f3
 
Red Hat Enterprise Linux Server EUS (v. 6.3.z)

SRPMS:
thunderbird-10.0.10-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: a2706b0ea7963614b533e9423d0a1d87
SHA-256: 002539e21ae4ed87691d130dc0dc44984408e0b3f6adad2bf5060b1535bea6ad
 
IA-32:
thunderbird-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: fa97518bb7dd1ac6c51d49eca478f75a
SHA-256: 4ae9e576602deeadfe701ce01d0786e207085d359ec83aef66b815baed6d64ad
thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: 3c11121a4d382b1e85e1ee55074d36f5
SHA-256: b10ce3792441ef7c14d6e3502ff9aab011cc976a6b4af48ab851bb12a50f1daa
 
PPC:
thunderbird-10.0.10-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: e8610d88a50877a8e5bb6c49bae7e180
SHA-256: a7159dd0a9deaefa0b8c36432806a9bc89ca0abe1f3645e2e18406a6fa3faf54
thunderbird-debuginfo-10.0.10-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 11444c8c698e67186b5a188129517754
SHA-256: 62f925579502a2c198451c20fa68cb0c89fa68e3fb64a9f162617a527e996662
 
s390x:
thunderbird-10.0.10-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: e811d5e28e07593cc8728c1ad4f1c365
SHA-256: d24ab731c4f8d01ea386ab4f6142a34c2cf229681cb7bdbe9c7ce4bef17e444c
thunderbird-debuginfo-10.0.10-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: a346f40aef9191167c5bf7b0122f8cd4
SHA-256: 146e2f6dea4ded8d1b7f8a68ccd3e994f1c9c0bec3abbfe807b3ce9039d08466
 
x86_64:
thunderbird-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 53afb3d3fb136e32c089553240ded08b
SHA-256: 79d59b358011dbe773c68639e14ce93590a9a520b95d760fcecd488cbd037c07
thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: f899d23855e9ec71b6c3161b98061679
SHA-256: 9d3341fc3dc72e40e0a6e508bf597e23994427e5c3c7959a9f2df30ad60240f3
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-10.0.10-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: a2706b0ea7963614b533e9423d0a1d87
SHA-256: 002539e21ae4ed87691d130dc0dc44984408e0b3f6adad2bf5060b1535bea6ad
 
IA-32:
thunderbird-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: fa97518bb7dd1ac6c51d49eca478f75a
SHA-256: 4ae9e576602deeadfe701ce01d0786e207085d359ec83aef66b815baed6d64ad
thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3c11121a4d382b1e85e1ee55074d36f5
SHA-256: b10ce3792441ef7c14d6e3502ff9aab011cc976a6b4af48ab851bb12a50f1daa
 
x86_64:
thunderbird-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 53afb3d3fb136e32c089553240ded08b
SHA-256: 79d59b358011dbe773c68639e14ce93590a9a520b95d760fcecd488cbd037c07
thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f899d23855e9ec71b6c3161b98061679
SHA-256: 9d3341fc3dc72e40e0a6e508bf597e23994427e5c3c7959a9f2df30ad60240f3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

869893 - CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 Mozilla: Fixes for Location object issues (MFSA 2012-90)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/