Red Hat Customer Portal

Skip to main content

Security Advisory Important: thunderbird security update

Advisory: RHSA-2015:0266-1
Type: Security Advisory
Severity: Important
Issued on: 2015-02-25
Last updated on: 2015-02-25
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.6.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2015-0822
CVE-2015-0827
CVE-2015-0831
CVE-2015-0836

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5 and 6.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827)

An information leak flaw was found in the way Thunderbird implemented
autocomplete forms. An attacker able to trick a user into specifying a
local file in the form could use this flaw to access the contents of that
file. (CVE-2015-0822)

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Carsten Book, Christoph Diehl, Gary Kwong, Jan de
Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Paul
Bandha, Abhishek Arya, and Armin Razmdjou as the original reporters of
these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.5.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.5.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-31.5.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 10665ead81d591ec09c188a056515b49
SHA-256: 4ef05ce9225d0abfeac63f9527395a9dee2fdd26fba1ed0856eeb41808781c47
 
IA-32:
thunderbird-31.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3b7f1d09cb487c860880a6f588b9c9ca
SHA-256: 979486116bd0d7b064bcab842e19eb1945569ede588fb741d7dfd7d041ab7d3f
thunderbird-debuginfo-31.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: bb976cc04f749141833a1fb8a69bed39
SHA-256: fe72fde6f03e3e9542208707739c60665542b9d961711b73390eb44cf32a2094
 
x86_64:
thunderbird-31.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 8ceea87c4dadbd802d0e4dc3f89882c2
SHA-256: 43f854c137e746c28397bfc0d68e420b18839d86b76b5de946a548b6e239db94
thunderbird-debuginfo-31.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 0c61c5ecf69dcb99b0927504636c60f5
SHA-256: f3a031e9b8707ec4573ecedc6a3900d8f3b8e42df668625056f36209d3c12595
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-31.5.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 10665ead81d591ec09c188a056515b49
SHA-256: 4ef05ce9225d0abfeac63f9527395a9dee2fdd26fba1ed0856eeb41808781c47
 
IA-32:
thunderbird-31.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3b7f1d09cb487c860880a6f588b9c9ca
SHA-256: 979486116bd0d7b064bcab842e19eb1945569ede588fb741d7dfd7d041ab7d3f
thunderbird-debuginfo-31.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: bb976cc04f749141833a1fb8a69bed39
SHA-256: fe72fde6f03e3e9542208707739c60665542b9d961711b73390eb44cf32a2094
 
x86_64:
thunderbird-31.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 8ceea87c4dadbd802d0e4dc3f89882c2
SHA-256: 43f854c137e746c28397bfc0d68e420b18839d86b76b5de946a548b6e239db94
thunderbird-debuginfo-31.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 0c61c5ecf69dcb99b0927504636c60f5
SHA-256: f3a031e9b8707ec4573ecedc6a3900d8f3b8e42df668625056f36209d3c12595
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-31.5.0-1.el6_6.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 7b5acda73e5da0a1b9cc786177ca64c9
SHA-256: 6054bf39c6988c9715e9f06429b71f89d5d448d9be4920a9a26ed5a5ec3d272e
 
IA-32:
thunderbird-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: bbf9f252082170dfcd472faf14fc6bb9
SHA-256: ec656357c6396f896df5641d0a921d8519ed863cb06a2f08c8bff5967e67e869
thunderbird-debuginfo-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 5160290a2d76381001888b48c27bb91c
SHA-256: 5c45bfa6fd0df1cec4da335ab0109a6f1a61b17a5c3f3737f6bbfc5e6d89c9d1
 
x86_64:
thunderbird-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 0838e74706bf77e41f24ddb5327ece6b
SHA-256: 8dc5aba5ab7a452c512a82cfb84d97467421eb103226c9c0e8871fbf2f4d53a2
thunderbird-debuginfo-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: ab1bbe81f368a0ee317e1ddad89b93c7
SHA-256: 049462d2aab65ac94abe8966914d3ecd71f218097d12989de5513fc353c4ee24
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-31.5.0-1.el6_6.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 7b5acda73e5da0a1b9cc786177ca64c9
SHA-256: 6054bf39c6988c9715e9f06429b71f89d5d448d9be4920a9a26ed5a5ec3d272e
 
IA-32:
thunderbird-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: bbf9f252082170dfcd472faf14fc6bb9
SHA-256: ec656357c6396f896df5641d0a921d8519ed863cb06a2f08c8bff5967e67e869
thunderbird-debuginfo-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 5160290a2d76381001888b48c27bb91c
SHA-256: 5c45bfa6fd0df1cec4da335ab0109a6f1a61b17a5c3f3737f6bbfc5e6d89c9d1
 
PPC:
thunderbird-31.5.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 2fb3622dbe9873cbf9c544c06426f3bc
SHA-256: 4cf0d2775a02432c0b37e67975a72f23d75d919829fdc5c1b37faedf228e55be
thunderbird-debuginfo-31.5.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 01ec46bee249b69c1f8da02763db9913
SHA-256: bbcacc7c6f7835347b28fd9629587532d6254213a63abdedc935ef04e3fe0396
 
s390x:
thunderbird-31.5.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2016:1041
    MD5: 8a149dfbbef7fe970e7396a97bfe37b8
SHA-256: deb365deec0437c7603c4bf3d1171f3569225b753f15cab50c1c376d34f72643
thunderbird-debuginfo-31.5.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2016:1041
    MD5: 28f8cfdf6402c1d35429375b47f2925b
SHA-256: 328fdc70d53b5ce1655e10908e32115540f5d957cb484d51fe5afa14dc1ec2be
 
x86_64:
thunderbird-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 0838e74706bf77e41f24ddb5327ece6b
SHA-256: 8dc5aba5ab7a452c512a82cfb84d97467421eb103226c9c0e8871fbf2f4d53a2
thunderbird-debuginfo-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: ab1bbe81f368a0ee317e1ddad89b93c7
SHA-256: 049462d2aab65ac94abe8966914d3ecd71f218097d12989de5513fc353c4ee24
 
Red Hat Enterprise Linux Server EUS (v. 6.6.z)

SRPMS:
thunderbird-31.5.0-1.el6_6.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 7b5acda73e5da0a1b9cc786177ca64c9
SHA-256: 6054bf39c6988c9715e9f06429b71f89d5d448d9be4920a9a26ed5a5ec3d272e
 
IA-32:
thunderbird-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2015:1455
    MD5: bbf9f252082170dfcd472faf14fc6bb9
SHA-256: ec656357c6396f896df5641d0a921d8519ed863cb06a2f08c8bff5967e67e869
thunderbird-debuginfo-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2015:1455
    MD5: 5160290a2d76381001888b48c27bb91c
SHA-256: 5c45bfa6fd0df1cec4da335ab0109a6f1a61b17a5c3f3737f6bbfc5e6d89c9d1
 
PPC:
thunderbird-31.5.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 2fb3622dbe9873cbf9c544c06426f3bc
SHA-256: 4cf0d2775a02432c0b37e67975a72f23d75d919829fdc5c1b37faedf228e55be
thunderbird-debuginfo-31.5.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 01ec46bee249b69c1f8da02763db9913
SHA-256: bbcacc7c6f7835347b28fd9629587532d6254213a63abdedc935ef04e3fe0396
 
s390x:
thunderbird-31.5.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2015:1455
    MD5: 8a149dfbbef7fe970e7396a97bfe37b8
SHA-256: deb365deec0437c7603c4bf3d1171f3569225b753f15cab50c1c376d34f72643
thunderbird-debuginfo-31.5.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2015:1455
    MD5: 28f8cfdf6402c1d35429375b47f2925b
SHA-256: 328fdc70d53b5ce1655e10908e32115540f5d957cb484d51fe5afa14dc1ec2be
 
x86_64:
thunderbird-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 0838e74706bf77e41f24ddb5327ece6b
SHA-256: 8dc5aba5ab7a452c512a82cfb84d97467421eb103226c9c0e8871fbf2f4d53a2
thunderbird-debuginfo-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: ab1bbe81f368a0ee317e1ddad89b93c7
SHA-256: 049462d2aab65ac94abe8966914d3ecd71f218097d12989de5513fc353c4ee24
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-31.5.0-1.el6_6.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 7b5acda73e5da0a1b9cc786177ca64c9
SHA-256: 6054bf39c6988c9715e9f06429b71f89d5d448d9be4920a9a26ed5a5ec3d272e
 
IA-32:
thunderbird-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: bbf9f252082170dfcd472faf14fc6bb9
SHA-256: ec656357c6396f896df5641d0a921d8519ed863cb06a2f08c8bff5967e67e869
thunderbird-debuginfo-31.5.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 5160290a2d76381001888b48c27bb91c
SHA-256: 5c45bfa6fd0df1cec4da335ab0109a6f1a61b17a5c3f3737f6bbfc5e6d89c9d1
 
x86_64:
thunderbird-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 0838e74706bf77e41f24ddb5327ece6b
SHA-256: 8dc5aba5ab7a452c512a82cfb84d97467421eb103226c9c0e8871fbf2f4d53a2
thunderbird-debuginfo-31.5.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: ab1bbe81f368a0ee317e1ddad89b93c7
SHA-256: 049462d2aab65ac94abe8966914d3ecd71f218097d12989de5513fc353c4ee24
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1195605 - CVE-2015-0836 Mozilla: Miscellaneous memory safety hazards (rv:31.5) (MFSA 2015-11)
1195619 - CVE-2015-0831 Mozilla: Use-after-free in IndexedDB (MFSA 2015-16)
1195623 - CVE-2015-0827 Mozilla: Out-of-bounds read and write while rendering SVG content (MFSA 2015-19)
1195638 - CVE-2015-0822 Mozilla: Reading of local files through manipulation of form autocomplete (MFSA 2015-24)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/