Red Hat Customer Portal

Skip to main content

Security Advisory Important: thunderbird security update

Advisory: RHSA-2015:2519-1
Type: Security Advisory
Severity: Important
Issued on: 2015-11-26
Last updated on: 2015-11-26
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server AUS (v. 7.2)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Server EUS (v. 7.2)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2015-4513
CVE-2015-7189
CVE-2015-7193
CVE-2015-7197
CVE-2015-7198
CVE-2015-7199
CVE-2015-7200

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7197, CVE-2015-7198,
CVE-2015-7199, CVE-2015-7200)

A same-origin policy bypass flaw was found in the way Thunderbird handled
certain cross-origin resource sharing (CORS) requests. A web page
containing malicious content could cause Thunderbird to disclose sensitive
information. (CVE-2015-7193)

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message because JavaScript is disabled by default for mail
messages. However, they could be exploited in other ways in Thunderbird
(for example, by viewing the full remote content of an RSS feed).

Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson
Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff
Walden, Gary Kwong, Looben Yang, Shinto K Anto, Ronald Crane, and Ehsan
Akhgari as the original reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.4.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.4.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-38.4.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: fe949b0fd2d67a02f951a137e1c3e06a
SHA-256: 93093a2b5591d3d4116f60435d94a6342671b37ac11bb37581a95300d1de282f
 
IA-32:
thunderbird-38.4.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: b022f89df3647d0db8de7729313b7342
SHA-256: 36537990925f905f7afd169cf1364728bd97860f1e7e93b63270855e307f1d79
thunderbird-debuginfo-38.4.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: c19278051e6a95a33c65d8dddf0bf352
SHA-256: 30bedd12f43bb9b6bdaa541cdc9c8e20326e2dca0e6636b48a7792cd758a7f9e
 
x86_64:
thunderbird-38.4.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8f84d7344067a61866733dd13409f1f1
SHA-256: 4274d32c2210d9c1953148b348069e4219830b968f1fe0256ded86b2aa6b8452
thunderbird-debuginfo-38.4.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: e3856850c6d37d86d4fb079e8e070e56
SHA-256: f0815ec6ac4820f3270760a0dc09e513dec7e6e868eb83de0e28e1e8047966cf
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-38.4.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: fe949b0fd2d67a02f951a137e1c3e06a
SHA-256: 93093a2b5591d3d4116f60435d94a6342671b37ac11bb37581a95300d1de282f
 
IA-32:
thunderbird-38.4.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: b022f89df3647d0db8de7729313b7342
SHA-256: 36537990925f905f7afd169cf1364728bd97860f1e7e93b63270855e307f1d79
thunderbird-debuginfo-38.4.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: c19278051e6a95a33c65d8dddf0bf352
SHA-256: 30bedd12f43bb9b6bdaa541cdc9c8e20326e2dca0e6636b48a7792cd758a7f9e
 
x86_64:
thunderbird-38.4.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8f84d7344067a61866733dd13409f1f1
SHA-256: 4274d32c2210d9c1953148b348069e4219830b968f1fe0256ded86b2aa6b8452
thunderbird-debuginfo-38.4.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: e3856850c6d37d86d4fb079e8e070e56
SHA-256: f0815ec6ac4820f3270760a0dc09e513dec7e6e868eb83de0e28e1e8047966cf
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-38.4.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0c814e34533604e6bfb88740a3ea5476
SHA-256: f64ad7f2ebae1952d351a8f08ce6ad5f128ae610ddf7ac23b637d603a8448a69
 
IA-32:
thunderbird-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: dd1e5079170584fc568e4e0449756ae1
SHA-256: 7bf194e180c4c45c9e123249897e674374f67dbc9b12eec9cde069cf9dfdbd68
thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3ccf573af5a2e55325c079ffd01dd6be
SHA-256: 8309077ffd83ca7135d91504571fb93601d52f9230168d932381bddc0273c41b
 
x86_64:
thunderbird-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3cf4d6a02881d55fdf240f8087d080a2
SHA-256: 651caffe3f9a0b4a699de0f6a52525e034b2f768f796436d1a30cf243b64867b
thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 9d914a3d3c0716b97c6001d27ab5c5ad
SHA-256: b5feb77a06565a5488099d40699d37976530c110edeb52e2f7fb1d9746cb1062
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
thunderbird-38.4.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d4e47046616e4dcbfbe2267109346f1
SHA-256: eb1efa82ea673a8ff2579be89e84261d2fd322e9323e0c1e0d1a415fe64aaa5d
 
x86_64:
thunderbird-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 519682c1b576744c3c4cd24264384783
SHA-256: bdb22014ff2e1ec359dd1742c3840152670c55864c3082e2449c2a462d1250fd
thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: c551fb4f6401ab42d8cff5f3887fbfe2
SHA-256: c5232840f1402882aa50bdd48e06251852ec43c49cd63b311834121abf33d1bb
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-38.4.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0c814e34533604e6bfb88740a3ea5476
SHA-256: f64ad7f2ebae1952d351a8f08ce6ad5f128ae610ddf7ac23b637d603a8448a69
 
IA-32:
thunderbird-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: dd1e5079170584fc568e4e0449756ae1
SHA-256: 7bf194e180c4c45c9e123249897e674374f67dbc9b12eec9cde069cf9dfdbd68
thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3ccf573af5a2e55325c079ffd01dd6be
SHA-256: 8309077ffd83ca7135d91504571fb93601d52f9230168d932381bddc0273c41b
 
PPC:
thunderbird-38.4.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1809
    MD5: b63d4abec55e68f94d23e1b718a75eef
SHA-256: 8f2d859b2796b14d1ba6d2047a470cf5e9244f5ae75bff46d932f15a348664d6
thunderbird-debuginfo-38.4.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 35979f8e6c9c35f179317783a53c2a2c
SHA-256: 09e2009f4491a7f46c37e78f49ee8df6d7c61d48e6002856880d3c90cc477733
 
s390x:
thunderbird-38.4.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1809
    MD5: e11069c4e499c9a5ff974a09eb4f6ee9
SHA-256: 397b76b47db42063571b493717178b458da1097281dc66a0ced29e7b9701501d
thunderbird-debuginfo-38.4.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8b7e9402f5e2f98de5046e78a717c668
SHA-256: 99a3005966ba7cc3388bda4bfc0ecc14575ba01e76979fa71d6a5d4684837fd7
 
x86_64:
thunderbird-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3cf4d6a02881d55fdf240f8087d080a2
SHA-256: 651caffe3f9a0b4a699de0f6a52525e034b2f768f796436d1a30cf243b64867b
thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 9d914a3d3c0716b97c6001d27ab5c5ad
SHA-256: b5feb77a06565a5488099d40699d37976530c110edeb52e2f7fb1d9746cb1062
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
thunderbird-38.4.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d4e47046616e4dcbfbe2267109346f1
SHA-256: eb1efa82ea673a8ff2579be89e84261d2fd322e9323e0c1e0d1a415fe64aaa5d
 
PPC64LE:
thunderbird-38.4.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: b04d387402d1f403cf6bbf07353b4a9e
SHA-256: 0c7c65a4c1c1bdf8d73cfbaf0ee56b27cbdd62307d2eb6346ed2008eb534ec08
thunderbird-debuginfo-38.4.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0a83136b13876a05b3a0307ce62dd4cf
SHA-256: a162576ad27aaa4be8f774cfaed953ceef4fc3374f26b04200eb272edcb1afda
 
x86_64:
thunderbird-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 519682c1b576744c3c4cd24264384783
SHA-256: bdb22014ff2e1ec359dd1742c3840152670c55864c3082e2449c2a462d1250fd
thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: c551fb4f6401ab42d8cff5f3887fbfe2
SHA-256: c5232840f1402882aa50bdd48e06251852ec43c49cd63b311834121abf33d1bb
 
Red Hat Enterprise Linux Server AUS (v. 7.2)

SRPMS:
thunderbird-38.4.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d4e47046616e4dcbfbe2267109346f1
SHA-256: eb1efa82ea673a8ff2579be89e84261d2fd322e9323e0c1e0d1a415fe64aaa5d
 
x86_64:
thunderbird-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 519682c1b576744c3c4cd24264384783
SHA-256: bdb22014ff2e1ec359dd1742c3840152670c55864c3082e2449c2a462d1250fd
thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: c551fb4f6401ab42d8cff5f3887fbfe2
SHA-256: c5232840f1402882aa50bdd48e06251852ec43c49cd63b311834121abf33d1bb
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
thunderbird-38.4.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0c814e34533604e6bfb88740a3ea5476
SHA-256: f64ad7f2ebae1952d351a8f08ce6ad5f128ae610ddf7ac23b637d603a8448a69
 
IA-32:
thunderbird-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: dd1e5079170584fc568e4e0449756ae1
SHA-256: 7bf194e180c4c45c9e123249897e674374f67dbc9b12eec9cde069cf9dfdbd68
thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: 3ccf573af5a2e55325c079ffd01dd6be
SHA-256: 8309077ffd83ca7135d91504571fb93601d52f9230168d932381bddc0273c41b
 
PPC:
thunderbird-38.4.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: b63d4abec55e68f94d23e1b718a75eef
SHA-256: 8f2d859b2796b14d1ba6d2047a470cf5e9244f5ae75bff46d932f15a348664d6
thunderbird-debuginfo-38.4.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 35979f8e6c9c35f179317783a53c2a2c
SHA-256: 09e2009f4491a7f46c37e78f49ee8df6d7c61d48e6002856880d3c90cc477733
 
s390x:
thunderbird-38.4.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: e11069c4e499c9a5ff974a09eb4f6ee9
SHA-256: 397b76b47db42063571b493717178b458da1097281dc66a0ced29e7b9701501d
thunderbird-debuginfo-38.4.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: 8b7e9402f5e2f98de5046e78a717c668
SHA-256: 99a3005966ba7cc3388bda4bfc0ecc14575ba01e76979fa71d6a5d4684837fd7
 
x86_64:
thunderbird-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 3cf4d6a02881d55fdf240f8087d080a2
SHA-256: 651caffe3f9a0b4a699de0f6a52525e034b2f768f796436d1a30cf243b64867b
thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 9d914a3d3c0716b97c6001d27ab5c5ad
SHA-256: b5feb77a06565a5488099d40699d37976530c110edeb52e2f7fb1d9746cb1062
 
Red Hat Enterprise Linux Server EUS (v. 7.2)

SRPMS:
thunderbird-38.4.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d4e47046616e4dcbfbe2267109346f1
SHA-256: eb1efa82ea673a8ff2579be89e84261d2fd322e9323e0c1e0d1a415fe64aaa5d
 
PPC64LE:
thunderbird-38.4.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: b04d387402d1f403cf6bbf07353b4a9e
SHA-256: 0c7c65a4c1c1bdf8d73cfbaf0ee56b27cbdd62307d2eb6346ed2008eb534ec08
thunderbird-debuginfo-38.4.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0a83136b13876a05b3a0307ce62dd4cf
SHA-256: a162576ad27aaa4be8f774cfaed953ceef4fc3374f26b04200eb272edcb1afda
 
x86_64:
thunderbird-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 519682c1b576744c3c4cd24264384783
SHA-256: bdb22014ff2e1ec359dd1742c3840152670c55864c3082e2449c2a462d1250fd
thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: c551fb4f6401ab42d8cff5f3887fbfe2
SHA-256: c5232840f1402882aa50bdd48e06251852ec43c49cd63b311834121abf33d1bb
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-38.4.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0c814e34533604e6bfb88740a3ea5476
SHA-256: f64ad7f2ebae1952d351a8f08ce6ad5f128ae610ddf7ac23b637d603a8448a69
 
IA-32:
thunderbird-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: dd1e5079170584fc568e4e0449756ae1
SHA-256: 7bf194e180c4c45c9e123249897e674374f67dbc9b12eec9cde069cf9dfdbd68
thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3ccf573af5a2e55325c079ffd01dd6be
SHA-256: 8309077ffd83ca7135d91504571fb93601d52f9230168d932381bddc0273c41b
 
x86_64:
thunderbird-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 3cf4d6a02881d55fdf240f8087d080a2
SHA-256: 651caffe3f9a0b4a699de0f6a52525e034b2f768f796436d1a30cf243b64867b
thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 9d914a3d3c0716b97c6001d27ab5c5ad
SHA-256: b5feb77a06565a5488099d40699d37976530c110edeb52e2f7fb1d9746cb1062
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
thunderbird-38.4.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d4e47046616e4dcbfbe2267109346f1
SHA-256: eb1efa82ea673a8ff2579be89e84261d2fd322e9323e0c1e0d1a415fe64aaa5d
 
x86_64:
thunderbird-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 519682c1b576744c3c4cd24264384783
SHA-256: bdb22014ff2e1ec359dd1742c3840152670c55864c3082e2449c2a462d1250fd
thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: c551fb4f6401ab42d8cff5f3887fbfe2
SHA-256: c5232840f1402882aa50bdd48e06251852ec43c49cd63b311834121abf33d1bb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1277332 - CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116)
1277344 - CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123)
1277346 - CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127)
1277350 - CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)
1277351 - CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/