Skip to navigation

Security Advisory Important: thunderbird security update

Advisory: RHSA-2013:0821-1
Type: Security Advisory
Severity: Important
Issued on: 2013-05-14
Last updated on: 2013-05-14
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
RHEL Optional Productivity Applications EUS (v. 5.9.z server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-0801
CVE-2013-1670
CVE-2013-1674
CVE-2013-1675
CVE-2013-1676
CVE-2013-1677
CVE-2013-1678
CVE-2013-1679
CVE-2013-1680
CVE-2013-1681

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-0801,
CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678,
CVE-2013-1679, CVE-2013-1680, CVE-2013-1681)

A flaw was found in the way Thunderbird handled Content Level Constructors.
Malicious content could use this flaw to perform cross-site scripting (XSS)
attacks. (CVE-2013-1670)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christoph Diehl, Christian Holler, Jesse Ruderman,
Timothy Nikkel, Jeff Walden, Nils, Ms2ger, Abhishek Arya, and Cody Crews as
the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially-crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 17.0.6 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-17.0.6-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: a893971ccb520b9a23b71a2ba19dcdd0
SHA-256: 6511d103878f002e56e94c210ea10aeaf5211570f40a030f53c5160a829659ca
 
IA-32:
thunderbird-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 32ce55fea0740ba877bd8c5884a30bbe
SHA-256: 85ac1d534431e2b9a99be4fa7aa7275ed035ea24d792f60dcb71fd71c35f60dc
thunderbird-debuginfo-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 946d3fd089905e48469e825de08f37d4
SHA-256: 087cf332e148531480e770853f7ba13f734fcb8cfd3f10ac4f08fedf9e46fada
 
x86_64:
thunderbird-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2780340451f86943a9fbb08d83d5128a
SHA-256: 670cc77936b36fdf759e51522356ccf048465b44a4690238436af2aa70006a2b
thunderbird-debuginfo-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7785d7339052c116ea6dd3c1fe592fdf
SHA-256: f78f6fbe47ed0a8354a963b8accb7bc1d54ab462ed02da08d25958bb204ad772
 
RHEL Optional Productivity Applications EUS (v. 5.9.z server)

SRPMS:
thunderbird-17.0.6-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: a893971ccb520b9a23b71a2ba19dcdd0
SHA-256: 6511d103878f002e56e94c210ea10aeaf5211570f40a030f53c5160a829659ca
 
IA-32:
thunderbird-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: 32ce55fea0740ba877bd8c5884a30bbe
SHA-256: 85ac1d534431e2b9a99be4fa7aa7275ed035ea24d792f60dcb71fd71c35f60dc
thunderbird-debuginfo-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: 946d3fd089905e48469e825de08f37d4
SHA-256: 087cf332e148531480e770853f7ba13f734fcb8cfd3f10ac4f08fedf9e46fada
 
x86_64:
thunderbird-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 2780340451f86943a9fbb08d83d5128a
SHA-256: 670cc77936b36fdf759e51522356ccf048465b44a4690238436af2aa70006a2b
thunderbird-debuginfo-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 7785d7339052c116ea6dd3c1fe592fdf
SHA-256: f78f6fbe47ed0a8354a963b8accb7bc1d54ab462ed02da08d25958bb204ad772
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-17.0.6-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: a893971ccb520b9a23b71a2ba19dcdd0
SHA-256: 6511d103878f002e56e94c210ea10aeaf5211570f40a030f53c5160a829659ca
 
IA-32:
thunderbird-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 32ce55fea0740ba877bd8c5884a30bbe
SHA-256: 85ac1d534431e2b9a99be4fa7aa7275ed035ea24d792f60dcb71fd71c35f60dc
thunderbird-debuginfo-17.0.6-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 946d3fd089905e48469e825de08f37d4
SHA-256: 087cf332e148531480e770853f7ba13f734fcb8cfd3f10ac4f08fedf9e46fada
 
x86_64:
thunderbird-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2780340451f86943a9fbb08d83d5128a
SHA-256: 670cc77936b36fdf759e51522356ccf048465b44a4690238436af2aa70006a2b
thunderbird-debuginfo-17.0.6-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7785d7339052c116ea6dd3c1fe592fdf
SHA-256: f78f6fbe47ed0a8354a963b8accb7bc1d54ab462ed02da08d25958bb204ad772
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-17.0.6-2.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: cf90877acac7640e3451268b6860a9b6
SHA-256: b0d40de5ae294203132b4de137ffb03460314e6db78e3b35e755c12746ace057
 
IA-32:
thunderbird-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: bdd8d72fe6e8bdbb6c704a6106b45659
SHA-256: d869c19cd4acea819874744b398be53cd5fc47914299cbcdeb388b52d2409c47
thunderbird-debuginfo-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: d3c5584a60ed73dffdebd04145d23676
SHA-256: 96c95708ed1837722ff2205af7dd9db9694d59479dfea76f602c50fcac0626df
 
x86_64:
thunderbird-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c49c4a760213a859b035af381c30a73a
SHA-256: 3384586c3486c88c15ff32ee881ab50d94fe43a73a9695fa6533575e65914427
thunderbird-debuginfo-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1a05992d246068880848fe06350ba994
SHA-256: 17b0e6e06afc15d2028e2c1d40ac7e2e158e419d49176900fa7b35d805b26abc
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-17.0.6-2.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: cf90877acac7640e3451268b6860a9b6
SHA-256: b0d40de5ae294203132b4de137ffb03460314e6db78e3b35e755c12746ace057
 
IA-32:
thunderbird-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: bdd8d72fe6e8bdbb6c704a6106b45659
SHA-256: d869c19cd4acea819874744b398be53cd5fc47914299cbcdeb388b52d2409c47
thunderbird-debuginfo-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: d3c5584a60ed73dffdebd04145d23676
SHA-256: 96c95708ed1837722ff2205af7dd9db9694d59479dfea76f602c50fcac0626df
 
PPC:
thunderbird-17.0.6-2.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: e52e028f0dd96faf118d06dc9b12cb5b
SHA-256: b96fd2348b4bf42f35cb611b903c75b720c707f598c84a81060fd25afadd2832
thunderbird-debuginfo-17.0.6-2.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: cdb020d5c51d1097854538074612dab1
SHA-256: 2f2b3928f705bfe51bd6269237bfe66cfe47452f0d755f421b6b1b1032034268
 
s390x:
thunderbird-17.0.6-2.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2533eb155cd9252d698c13855240fe26
SHA-256: be2c6ff01707fb1dd1fff35f1068b97328eca117cfb50a5ca62d471b849fb307
thunderbird-debuginfo-17.0.6-2.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 808d285bb4f239a883bacfba00639d93
SHA-256: 784f0839c3c7b54e5f6244c90a845f920a43c31c58acbe5433921f585b58c584
 
x86_64:
thunderbird-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c49c4a760213a859b035af381c30a73a
SHA-256: 3384586c3486c88c15ff32ee881ab50d94fe43a73a9695fa6533575e65914427
thunderbird-debuginfo-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1a05992d246068880848fe06350ba994
SHA-256: 17b0e6e06afc15d2028e2c1d40ac7e2e158e419d49176900fa7b35d805b26abc
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
thunderbird-17.0.6-2.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: cf90877acac7640e3451268b6860a9b6
SHA-256: b0d40de5ae294203132b4de137ffb03460314e6db78e3b35e755c12746ace057
 
x86_64:
thunderbird-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: c49c4a760213a859b035af381c30a73a
SHA-256: 3384586c3486c88c15ff32ee881ab50d94fe43a73a9695fa6533575e65914427
thunderbird-debuginfo-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 1a05992d246068880848fe06350ba994
SHA-256: 17b0e6e06afc15d2028e2c1d40ac7e2e158e419d49176900fa7b35d805b26abc
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
thunderbird-17.0.6-2.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: cf90877acac7640e3451268b6860a9b6
SHA-256: b0d40de5ae294203132b4de137ffb03460314e6db78e3b35e755c12746ace057
 
IA-32:
thunderbird-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: bdd8d72fe6e8bdbb6c704a6106b45659
SHA-256: d869c19cd4acea819874744b398be53cd5fc47914299cbcdeb388b52d2409c47
thunderbird-debuginfo-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: d3c5584a60ed73dffdebd04145d23676
SHA-256: 96c95708ed1837722ff2205af7dd9db9694d59479dfea76f602c50fcac0626df
 
PPC:
thunderbird-17.0.6-2.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: e52e028f0dd96faf118d06dc9b12cb5b
SHA-256: b96fd2348b4bf42f35cb611b903c75b720c707f598c84a81060fd25afadd2832
thunderbird-debuginfo-17.0.6-2.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: cdb020d5c51d1097854538074612dab1
SHA-256: 2f2b3928f705bfe51bd6269237bfe66cfe47452f0d755f421b6b1b1032034268
 
s390x:
thunderbird-17.0.6-2.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: 2533eb155cd9252d698c13855240fe26
SHA-256: be2c6ff01707fb1dd1fff35f1068b97328eca117cfb50a5ca62d471b849fb307
thunderbird-debuginfo-17.0.6-2.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: 808d285bb4f239a883bacfba00639d93
SHA-256: 784f0839c3c7b54e5f6244c90a845f920a43c31c58acbe5433921f585b58c584
 
x86_64:
thunderbird-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: c49c4a760213a859b035af381c30a73a
SHA-256: 3384586c3486c88c15ff32ee881ab50d94fe43a73a9695fa6533575e65914427
thunderbird-debuginfo-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 1a05992d246068880848fe06350ba994
SHA-256: 17b0e6e06afc15d2028e2c1d40ac7e2e158e419d49176900fa7b35d805b26abc
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-17.0.6-2.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: cf90877acac7640e3451268b6860a9b6
SHA-256: b0d40de5ae294203132b4de137ffb03460314e6db78e3b35e755c12746ace057
 
IA-32:
thunderbird-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: bdd8d72fe6e8bdbb6c704a6106b45659
SHA-256: d869c19cd4acea819874744b398be53cd5fc47914299cbcdeb388b52d2409c47
thunderbird-debuginfo-17.0.6-2.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: d3c5584a60ed73dffdebd04145d23676
SHA-256: 96c95708ed1837722ff2205af7dd9db9694d59479dfea76f602c50fcac0626df
 
x86_64:
thunderbird-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c49c4a760213a859b035af381c30a73a
SHA-256: 3384586c3486c88c15ff32ee881ab50d94fe43a73a9695fa6533575e65914427
thunderbird-debuginfo-17.0.6-2.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1a05992d246068880848fe06350ba994
SHA-256: 17b0e6e06afc15d2028e2c1d40ac7e2e158e419d49176900fa7b35d805b26abc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

962591 - CVE-2013-0801 Mozilla: Miscellaneous memory safety hazards (rv:17.0.6) (MFSA 2013-41)
962596 - CVE-2013-1670 Mozilla: Privileged access for content level constructor (MFSA 2013-42)
962598 - CVE-2013-1674 Mozilla: Use-after-free with video and onresize event (MFSA 2013-46)
962601 - CVE-2013-1675 Mozilla: Uninitialized functions in DOMSVGZoomEvent (MFSA 2013-47)
962603 - CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 Mozilla: Memory corruption found using Address Sanitizer (MFSA 2013-48)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/