Red Hat Customer Portal

Skip to main content

Security Advisory Important: thunderbird security update

Advisory: RHSA-2015:1682-1
Type: Security Advisory
Severity: Important
Issued on: 2015-08-25
Last updated on: 2015-08-25
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Server EUS (v. 7.1)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2015-4473
CVE-2015-4487
CVE-2015-4488
CVE-2015-4489
CVE-2015-4491

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-4473, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488,
CVE-2015-4489)

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message because JavaScript is disabled by default for mail
messages. However, they could be exploited in other ways in Thunderbird
(for example, by viewing the full remote content of an RSS feed).

Red Hat would like to thank the Mozilla project for reporting these
issues. Upstream acknowledges Gary Kwong, Christian Holler, Byron Campen,
Gustavo Grieco, and Ronald Crane as the original reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.2. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.2, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-38.2.0-4.el5_11.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9a0f823ff56978ef467d1861be3adfcd
SHA-256: cb0f3ea0c9d531b608b13ffcd12f6ac6c1f29369a31359318284961db15c2675
 
IA-32:
thunderbird-38.2.0-4.el5_11.i386.rpm
File outdated by:  RHSA-2016:2850
    MD5: 4c32173eed72e95381a79d44963635b4
SHA-256: 8becb7ea9b343f8f7cbd16d02a4a8dab4cbdfc1f7c591cf48b652151d72c2f0d
thunderbird-debuginfo-38.2.0-4.el5_11.i386.rpm
File outdated by:  RHSA-2016:2850
    MD5: 8fee65c17281ff1a10d4f455dedf405b
SHA-256: f32049216e9bc723c75445987ba9d43470de992d4cdc9710ba4430b2cf7bb8d5
 
x86_64:
thunderbird-38.2.0-4.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 100ce38d4d1dbb0b0cd86c722fc32977
SHA-256: 6cf24e18ead8209af1151a42df08c31e5354a00d177d9a26962dca0132efbbb0
thunderbird-debuginfo-38.2.0-4.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 87e6b3b3e3cfeb2e36f646cb19024674
SHA-256: 7b1e30d03262c202f39defbf590a75feef9d1aba8b8f82af8ec9c69c987d20c0
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-38.2.0-4.el5_11.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9a0f823ff56978ef467d1861be3adfcd
SHA-256: cb0f3ea0c9d531b608b13ffcd12f6ac6c1f29369a31359318284961db15c2675
 
IA-32:
thunderbird-38.2.0-4.el5_11.i386.rpm
File outdated by:  RHSA-2016:2850
    MD5: 4c32173eed72e95381a79d44963635b4
SHA-256: 8becb7ea9b343f8f7cbd16d02a4a8dab4cbdfc1f7c591cf48b652151d72c2f0d
thunderbird-debuginfo-38.2.0-4.el5_11.i386.rpm
File outdated by:  RHSA-2016:2850
    MD5: 8fee65c17281ff1a10d4f455dedf405b
SHA-256: f32049216e9bc723c75445987ba9d43470de992d4cdc9710ba4430b2cf7bb8d5
 
x86_64:
thunderbird-38.2.0-4.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 100ce38d4d1dbb0b0cd86c722fc32977
SHA-256: 6cf24e18ead8209af1151a42df08c31e5354a00d177d9a26962dca0132efbbb0
thunderbird-debuginfo-38.2.0-4.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 87e6b3b3e3cfeb2e36f646cb19024674
SHA-256: 7b1e30d03262c202f39defbf590a75feef9d1aba8b8f82af8ec9c69c987d20c0
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-38.2.0-4.el6_7.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9900818acc07ec217c6b630a877393f0
SHA-256: 48df2fb0cc6c4bd6c05f9829d6a12c0a8b1c270a1af34b9af62fcecf8476da86
 
IA-32:
thunderbird-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 386c40c6d68f792e7ac0c77b1bd4153b
SHA-256: 19292fdf74e4a253164eb2d5729a064e8e3213df6de72233fd568bd5f607f21b
thunderbird-debuginfo-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1a63da8914960fb10afcd6900543cd24
SHA-256: 335ba59ee89a57b3619931464007f2d7de2e70e5b45c57dcc3a97e6c481aed11
 
x86_64:
thunderbird-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1f1eae4fd001362789787e69aa33f6a4
SHA-256: a6998fa504e73d809a2453981e64be4c30af52e214fd5b1350d77d6b2aa1e57a
thunderbird-debuginfo-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: f5c27044b71b1aa79baebf0d145c584e
SHA-256: 998d63964bff8eae4d96fe9dc000963a2236160d9b3a0be9155bfb85f9d07c9e
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
thunderbird-38.2.0-1.el7_1.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: e96dcaed1e75dc8743f70a50d58aec33
SHA-256: aa0b6a51a3bd84c79c5307b84e0316565170917b58e88f3be0cba1ca9211cdc7
 
x86_64:
thunderbird-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: b68f30b60c80a55619f681ce8cb69c65
SHA-256: 4988babe90d7d382ebe405e0f39ff69fc6927b8e78e5db8097ec87c27a73cf5b
thunderbird-debuginfo-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 121c98b19eb96c893b67525b83f26a13
SHA-256: fef5144ca80a1cb31d78e87f68b699ab95b64e453c64ac03722ed2a93d6a34c7
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-38.2.0-4.el6_7.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9900818acc07ec217c6b630a877393f0
SHA-256: 48df2fb0cc6c4bd6c05f9829d6a12c0a8b1c270a1af34b9af62fcecf8476da86
 
IA-32:
thunderbird-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 386c40c6d68f792e7ac0c77b1bd4153b
SHA-256: 19292fdf74e4a253164eb2d5729a064e8e3213df6de72233fd568bd5f607f21b
thunderbird-debuginfo-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1a63da8914960fb10afcd6900543cd24
SHA-256: 335ba59ee89a57b3619931464007f2d7de2e70e5b45c57dcc3a97e6c481aed11
 
PPC:
thunderbird-38.2.0-4.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 2fc1c62692aafa74828623768f874249
SHA-256: 90bf2d55c584c2fdadd886054029952c3fc45542e98a0bac872f254ce1299bbe
thunderbird-debuginfo-38.2.0-4.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 028345ce4190c3bfdf29c55f589baa26
SHA-256: c8c421459d5beaefcd40f474592e8ce10e64f0b0d6838c7a859dc7e19bdd8917
 
s390x:
thunderbird-38.2.0-4.el6_7.s390x.rpm
File outdated by:  RHSA-2016:2850
    MD5: af172250984fbe0825b8a884724b8bc1
SHA-256: f8b4d8bfeaecef645f5cb667dfa0ccc4f2f14e96b0315aeed021aa5b957ddffb
thunderbird-debuginfo-38.2.0-4.el6_7.s390x.rpm
File outdated by:  RHSA-2016:2850
    MD5: 09f70073b6344fc477e6f00f7eff54e9
SHA-256: aacf03ca85391d4fd1c16c9d3650727f52170f988f10b0a56824ed523dbab772
 
x86_64:
thunderbird-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1f1eae4fd001362789787e69aa33f6a4
SHA-256: a6998fa504e73d809a2453981e64be4c30af52e214fd5b1350d77d6b2aa1e57a
thunderbird-debuginfo-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: f5c27044b71b1aa79baebf0d145c584e
SHA-256: 998d63964bff8eae4d96fe9dc000963a2236160d9b3a0be9155bfb85f9d07c9e
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
thunderbird-38.2.0-1.el7_1.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: e96dcaed1e75dc8743f70a50d58aec33
SHA-256: aa0b6a51a3bd84c79c5307b84e0316565170917b58e88f3be0cba1ca9211cdc7
 
x86_64:
thunderbird-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: b68f30b60c80a55619f681ce8cb69c65
SHA-256: 4988babe90d7d382ebe405e0f39ff69fc6927b8e78e5db8097ec87c27a73cf5b
thunderbird-debuginfo-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 121c98b19eb96c893b67525b83f26a13
SHA-256: fef5144ca80a1cb31d78e87f68b699ab95b64e453c64ac03722ed2a93d6a34c7
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
thunderbird-38.2.0-4.el6_7.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9900818acc07ec217c6b630a877393f0
SHA-256: 48df2fb0cc6c4bd6c05f9829d6a12c0a8b1c270a1af34b9af62fcecf8476da86
 
IA-32:
thunderbird-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: 386c40c6d68f792e7ac0c77b1bd4153b
SHA-256: 19292fdf74e4a253164eb2d5729a064e8e3213df6de72233fd568bd5f607f21b
thunderbird-debuginfo-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: 1a63da8914960fb10afcd6900543cd24
SHA-256: 335ba59ee89a57b3619931464007f2d7de2e70e5b45c57dcc3a97e6c481aed11
 
PPC:
thunderbird-38.2.0-4.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 2fc1c62692aafa74828623768f874249
SHA-256: 90bf2d55c584c2fdadd886054029952c3fc45542e98a0bac872f254ce1299bbe
thunderbird-debuginfo-38.2.0-4.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 028345ce4190c3bfdf29c55f589baa26
SHA-256: c8c421459d5beaefcd40f474592e8ce10e64f0b0d6838c7a859dc7e19bdd8917
 
s390x:
thunderbird-38.2.0-4.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: af172250984fbe0825b8a884724b8bc1
SHA-256: f8b4d8bfeaecef645f5cb667dfa0ccc4f2f14e96b0315aeed021aa5b957ddffb
thunderbird-debuginfo-38.2.0-4.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: 09f70073b6344fc477e6f00f7eff54e9
SHA-256: aacf03ca85391d4fd1c16c9d3650727f52170f988f10b0a56824ed523dbab772
 
x86_64:
thunderbird-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 1f1eae4fd001362789787e69aa33f6a4
SHA-256: a6998fa504e73d809a2453981e64be4c30af52e214fd5b1350d77d6b2aa1e57a
thunderbird-debuginfo-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: f5c27044b71b1aa79baebf0d145c584e
SHA-256: 998d63964bff8eae4d96fe9dc000963a2236160d9b3a0be9155bfb85f9d07c9e
 
Red Hat Enterprise Linux Server EUS (v. 7.1)

SRPMS:
thunderbird-38.2.0-1.el7_1.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: e96dcaed1e75dc8743f70a50d58aec33
SHA-256: aa0b6a51a3bd84c79c5307b84e0316565170917b58e88f3be0cba1ca9211cdc7
 
x86_64:
thunderbird-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2015:1852
    MD5: b68f30b60c80a55619f681ce8cb69c65
SHA-256: 4988babe90d7d382ebe405e0f39ff69fc6927b8e78e5db8097ec87c27a73cf5b
thunderbird-debuginfo-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2015:1852
    MD5: 121c98b19eb96c893b67525b83f26a13
SHA-256: fef5144ca80a1cb31d78e87f68b699ab95b64e453c64ac03722ed2a93d6a34c7
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-38.2.0-4.el6_7.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: 9900818acc07ec217c6b630a877393f0
SHA-256: 48df2fb0cc6c4bd6c05f9829d6a12c0a8b1c270a1af34b9af62fcecf8476da86
 
IA-32:
thunderbird-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 386c40c6d68f792e7ac0c77b1bd4153b
SHA-256: 19292fdf74e4a253164eb2d5729a064e8e3213df6de72233fd568bd5f607f21b
thunderbird-debuginfo-38.2.0-4.el6_7.i686.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1a63da8914960fb10afcd6900543cd24
SHA-256: 335ba59ee89a57b3619931464007f2d7de2e70e5b45c57dcc3a97e6c481aed11
 
x86_64:
thunderbird-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 1f1eae4fd001362789787e69aa33f6a4
SHA-256: a6998fa504e73d809a2453981e64be4c30af52e214fd5b1350d77d6b2aa1e57a
thunderbird-debuginfo-38.2.0-4.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: f5c27044b71b1aa79baebf0d145c584e
SHA-256: 998d63964bff8eae4d96fe9dc000963a2236160d9b3a0be9155bfb85f9d07c9e
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
thunderbird-38.2.0-1.el7_1.src.rpm
File outdated by:  RHSA-2016:2850
    MD5: e96dcaed1e75dc8743f70a50d58aec33
SHA-256: aa0b6a51a3bd84c79c5307b84e0316565170917b58e88f3be0cba1ca9211cdc7
 
x86_64:
thunderbird-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: b68f30b60c80a55619f681ce8cb69c65
SHA-256: 4988babe90d7d382ebe405e0f39ff69fc6927b8e78e5db8097ec87c27a73cf5b
thunderbird-debuginfo-38.2.0-1.el7_1.x86_64.rpm
File outdated by:  RHSA-2016:2850
    MD5: 121c98b19eb96c893b67525b83f26a13
SHA-256: fef5144ca80a1cb31d78e87f68b699ab95b64e453c64ac03722ed2a93d6a34c7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1252271 - CVE-2015-4473 Mozilla: Miscellaneous memory safety hazards (rv:38.2) (MFSA 2015-79)
1252290 - CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88)
1252293 - CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-90)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/