Security Advisory Important: thunderbird security update

Advisory: RHSA-2015:1012-1
Type: Security Advisory
Severity: Important
Issued on: 2015-05-18
Last updated on: 2015-05-18
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server AUS (v. 6.6)
Red Hat Enterprise Linux Server EUS (v. 6.6.z)
Red Hat Enterprise Linux Server EUS (v. 7.1)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2015-2708
CVE-2015-2710
CVE-2015-2713
CVE-2015-2716

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713)

A heap-based buffer overflow flaw was found in the way Thunderbird
processed compressed XML data. An attacker could create specially crafted
compressed XML content that, when processed by Thunderbird, could cause it
to crash or execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-2716)

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve
Fink, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original
reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.7. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.7, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-31.7.0-1.el5_11.src.rpm
File outdated by:  RHSA-2017:0498
    MD5: 231b585788c82f81ef39196d0b59e6bb
SHA-256: 27c5e50998775b99bae98712cfe996d45dc9fe8c3c0ae3edd2788d2a7c6094d9
 
IA-32:
thunderbird-31.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2017:0498
    MD5: 855194b3634b9c5febeec777b790be78
SHA-256: b31b44a4aa6aa029dd1fe7fa873f74ac4b86233e39fd2b5b7d194e33360c2a8b
thunderbird-debuginfo-31.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2017:0498
    MD5: 7def2e0ac613baa9426864514310fac3
SHA-256: 446b9cb0b3d97dbfa38f4f5990dc201ae146395b0d72b913ae29a972c756d8aa
 
x86_64:
thunderbird-31.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2017:0498
    MD5: db139e34b2d4648067e719d4bc27f3a8
SHA-256: f1cbe5ea36489f71e878cb8740ae845b7942b123180d7adff1a22cbbd1c12b15
thunderbird-debuginfo-31.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2017:0498
    MD5: 1aa69205c85b6fca33edd9174cc01220
SHA-256: 47a796e258798228df10ff06b2deda58178469d1d4472226c3335936574d5467
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-31.7.0-1.el5_11.src.rpm
File outdated by:  RHSA-2017:0498
    MD5: 231b585788c82f81ef39196d0b59e6bb
SHA-256: 27c5e50998775b99bae98712cfe996d45dc9fe8c3c0ae3edd2788d2a7c6094d9
 
IA-32:
thunderbird-31.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2017:0498
    MD5: 855194b3634b9c5febeec777b790be78
SHA-256: b31b44a4aa6aa029dd1fe7fa873f74ac4b86233e39fd2b5b7d194e33360c2a8b
thunderbird-debuginfo-31.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2017:0498
    MD5: 7def2e0ac613baa9426864514310fac3
SHA-256: 446b9cb0b3d97dbfa38f4f5990dc201ae146395b0d72b913ae29a972c756d8aa
 
x86_64:
thunderbird-31.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2017:0498
    MD5: db139e34b2d4648067e719d4bc27f3a8
SHA-256: f1cbe5ea36489f71e878cb8740ae845b7942b123180d7adff1a22cbbd1c12b15
thunderbird-debuginfo-31.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2017:0498
    MD5: 1aa69205c85b6fca33edd9174cc01220
SHA-256: 47a796e258798228df10ff06b2deda58178469d1d4472226c3335936574d5467
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-31.7.0-1.el6_6.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 24eef5f68033ec8cd21ee369b073d71f
SHA-256: 7fb973a59094ffdd1e56e869077f6f8187ff0a3db966a604e8a574ce0e8e44d7
 
IA-32:
thunderbird-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: 83503265c37e25059d5cc241fefe6f39
SHA-256: 38474b74c64ca32e0c6d533d0ec1715c89d9fae19808005388b4f3d9dfe40336
thunderbird-debuginfo-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: b57246819d844039f40aecbbc3d715fa
SHA-256: b62cafcb96409b225e0153e63932e7942fb406da2fce81effad2479d1650705a
 
x86_64:
thunderbird-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: b888371de1393ddc585f47d408aa5791
SHA-256: 6ee98da53b1ead95aa200553c04a91976356f56418d1c38365f664d704b1367f
thunderbird-debuginfo-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 8be2134010a0f5da20165eedf2e8e75a
SHA-256: 9c3fc71d37914449c17f772213e6798269994a579eaa524d7f5f62352a74f64d
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
thunderbird-31.7.0-1.el7_1.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 150b851f7c9d4db61799732b4eb11458
SHA-256: c1f2ca87d4b891aa1f4c15ae5fcae0549d9cdd6ce5e2867ad47495f80920736f
 
x86_64:
thunderbird-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 173d70fa2ca15765dcee978dba5e0a51
SHA-256: b85be8076d72022cb7f14d3afcec3b48f1acf169f56e8d8504437be0862f7edc
thunderbird-debuginfo-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: e8691cfb130bcc4614380af775413320
SHA-256: 61a252d0a88b5ea108aca34acd5a25b5050ecde2319a590a27ef5cf1c3159a0a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-31.7.0-1.el6_6.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 24eef5f68033ec8cd21ee369b073d71f
SHA-256: 7fb973a59094ffdd1e56e869077f6f8187ff0a3db966a604e8a574ce0e8e44d7
 
IA-32:
thunderbird-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: 83503265c37e25059d5cc241fefe6f39
SHA-256: 38474b74c64ca32e0c6d533d0ec1715c89d9fae19808005388b4f3d9dfe40336
thunderbird-debuginfo-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: b57246819d844039f40aecbbc3d715fa
SHA-256: b62cafcb96409b225e0153e63932e7942fb406da2fce81effad2479d1650705a
 
PPC:
thunderbird-31.7.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 4cb6fad8ed22c18fd8f80fd189e65a78
SHA-256: 31e8a9104d0a69a6a75e364688638cc6fd23dc8b5a21fa47aa33ff6521919a7a
thunderbird-debuginfo-31.7.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 906873fa85d62cac85dd4df2b9a4b903
SHA-256: 7fb2bb3d6fdfd173f18a891b7b0a3005f4cb64c9936a1a7748774ac82f3553fa
 
s390x:
thunderbird-31.7.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2017:1561
    MD5: 320ac4ed5434cc24f7ab2aa2e9015e42
SHA-256: f7584b2b802a55cff695edfcece9b44bd41d651fcde9076bccf4f2e3bb2df34b
thunderbird-debuginfo-31.7.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2017:1561
    MD5: d254d5e5a674ad96a1d2073967ac6a0d
SHA-256: cfa0bb8af81eaecab5b9210c24e069ae5d1ec1cd62bd142c25bc223e9e34c2ec
 
x86_64:
thunderbird-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: b888371de1393ddc585f47d408aa5791
SHA-256: 6ee98da53b1ead95aa200553c04a91976356f56418d1c38365f664d704b1367f
thunderbird-debuginfo-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 8be2134010a0f5da20165eedf2e8e75a
SHA-256: 9c3fc71d37914449c17f772213e6798269994a579eaa524d7f5f62352a74f64d
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
thunderbird-31.7.0-1.el7_1.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 150b851f7c9d4db61799732b4eb11458
SHA-256: c1f2ca87d4b891aa1f4c15ae5fcae0549d9cdd6ce5e2867ad47495f80920736f
 
x86_64:
thunderbird-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 173d70fa2ca15765dcee978dba5e0a51
SHA-256: b85be8076d72022cb7f14d3afcec3b48f1acf169f56e8d8504437be0862f7edc
thunderbird-debuginfo-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: e8691cfb130bcc4614380af775413320
SHA-256: 61a252d0a88b5ea108aca34acd5a25b5050ecde2319a590a27ef5cf1c3159a0a
 
Red Hat Enterprise Linux Server AUS (v. 6.6)

SRPMS:
thunderbird-31.7.0-1.el6_6.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 24eef5f68033ec8cd21ee369b073d71f
SHA-256: 7fb973a59094ffdd1e56e869077f6f8187ff0a3db966a604e8a574ce0e8e44d7
 
x86_64:
thunderbird-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: b888371de1393ddc585f47d408aa5791
SHA-256: 6ee98da53b1ead95aa200553c04a91976356f56418d1c38365f664d704b1367f
thunderbird-debuginfo-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 8be2134010a0f5da20165eedf2e8e75a
SHA-256: 9c3fc71d37914449c17f772213e6798269994a579eaa524d7f5f62352a74f64d
 
Red Hat Enterprise Linux Server EUS (v. 6.6.z)

SRPMS:
thunderbird-31.7.0-1.el6_6.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 24eef5f68033ec8cd21ee369b073d71f
SHA-256: 7fb973a59094ffdd1e56e869077f6f8187ff0a3db966a604e8a574ce0e8e44d7
 
IA-32:
thunderbird-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2015:1455
    MD5: 83503265c37e25059d5cc241fefe6f39
SHA-256: 38474b74c64ca32e0c6d533d0ec1715c89d9fae19808005388b4f3d9dfe40336
thunderbird-debuginfo-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2015:1455
    MD5: b57246819d844039f40aecbbc3d715fa
SHA-256: b62cafcb96409b225e0153e63932e7942fb406da2fce81effad2479d1650705a
 
PPC:
thunderbird-31.7.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 4cb6fad8ed22c18fd8f80fd189e65a78
SHA-256: 31e8a9104d0a69a6a75e364688638cc6fd23dc8b5a21fa47aa33ff6521919a7a
thunderbird-debuginfo-31.7.0-1.el6_6.ppc64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 906873fa85d62cac85dd4df2b9a4b903
SHA-256: 7fb2bb3d6fdfd173f18a891b7b0a3005f4cb64c9936a1a7748774ac82f3553fa
 
s390x:
thunderbird-31.7.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2015:1455
    MD5: 320ac4ed5434cc24f7ab2aa2e9015e42
SHA-256: f7584b2b802a55cff695edfcece9b44bd41d651fcde9076bccf4f2e3bb2df34b
thunderbird-debuginfo-31.7.0-1.el6_6.s390x.rpm
File outdated by:  RHSA-2015:1455
    MD5: d254d5e5a674ad96a1d2073967ac6a0d
SHA-256: cfa0bb8af81eaecab5b9210c24e069ae5d1ec1cd62bd142c25bc223e9e34c2ec
 
x86_64:
thunderbird-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: b888371de1393ddc585f47d408aa5791
SHA-256: 6ee98da53b1ead95aa200553c04a91976356f56418d1c38365f664d704b1367f
thunderbird-debuginfo-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2015:1455
    MD5: 8be2134010a0f5da20165eedf2e8e75a
SHA-256: 9c3fc71d37914449c17f772213e6798269994a579eaa524d7f5f62352a74f64d
 
Red Hat Enterprise Linux Server EUS (v. 7.1)

SRPMS:
thunderbird-31.7.0-1.el7_1.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 150b851f7c9d4db61799732b4eb11458
SHA-256: c1f2ca87d4b891aa1f4c15ae5fcae0549d9cdd6ce5e2867ad47495f80920736f
 
x86_64:
thunderbird-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2015:1852
    MD5: 173d70fa2ca15765dcee978dba5e0a51
SHA-256: b85be8076d72022cb7f14d3afcec3b48f1acf169f56e8d8504437be0862f7edc
thunderbird-debuginfo-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2015:1852
    MD5: e8691cfb130bcc4614380af775413320
SHA-256: 61a252d0a88b5ea108aca34acd5a25b5050ecde2319a590a27ef5cf1c3159a0a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-31.7.0-1.el6_6.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 24eef5f68033ec8cd21ee369b073d71f
SHA-256: 7fb973a59094ffdd1e56e869077f6f8187ff0a3db966a604e8a574ce0e8e44d7
 
IA-32:
thunderbird-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: 83503265c37e25059d5cc241fefe6f39
SHA-256: 38474b74c64ca32e0c6d533d0ec1715c89d9fae19808005388b4f3d9dfe40336
thunderbird-debuginfo-31.7.0-1.el6_6.i686.rpm
File outdated by:  RHSA-2017:1561
    MD5: b57246819d844039f40aecbbc3d715fa
SHA-256: b62cafcb96409b225e0153e63932e7942fb406da2fce81effad2479d1650705a
 
x86_64:
thunderbird-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: b888371de1393ddc585f47d408aa5791
SHA-256: 6ee98da53b1ead95aa200553c04a91976356f56418d1c38365f664d704b1367f
thunderbird-debuginfo-31.7.0-1.el6_6.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 8be2134010a0f5da20165eedf2e8e75a
SHA-256: 9c3fc71d37914449c17f772213e6798269994a579eaa524d7f5f62352a74f64d
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
thunderbird-31.7.0-1.el7_1.src.rpm
File outdated by:  RHSA-2017:1561
    MD5: 150b851f7c9d4db61799732b4eb11458
SHA-256: c1f2ca87d4b891aa1f4c15ae5fcae0549d9cdd6ce5e2867ad47495f80920736f
 
x86_64:
thunderbird-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: 173d70fa2ca15765dcee978dba5e0a51
SHA-256: b85be8076d72022cb7f14d3afcec3b48f1acf169f56e8d8504437be0862f7edc
thunderbird-debuginfo-31.7.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2017:1561
    MD5: e8691cfb130bcc4614380af775413320
SHA-256: 61a252d0a88b5ea108aca34acd5a25b5050ecde2319a590a27ef5cf1c3159a0a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1220597 - CVE-2015-2708 Mozilla: Miscellaneous memory safety hazards (rv:31.7) (MFSA 2015-46)
1220601 - CVE-2015-2710 Mozilla: Buffer overflow with SVG content and CSS (MFSA 2015-48)
1220605 - CVE-2015-2713 Mozilla: Use-after-free during text processing with vertical text enabled (MFSA 2015-51)
1220607 - CVE-2015-2716 Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/