Red Hat Customer Portal

Skip to main content

Security Advisory Important: thunderbird security update

Advisory: RHSA-2016:0001-1
Type: Security Advisory
Severity: Important
Issued on: 2016-01-05
Last updated on: 2016-01-05
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server AUS (v. 7.2)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Server EUS (v. 7.2)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2015-7201
CVE-2015-7205
CVE-2015-7212
CVE-2015-7213
CVE-2015-7214

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7212, CVE-2015-7213)

A flaw was found in the way Thunderbird handled content using the 'data:'
and 'view-source:' URIs. An attacker could use this flaw to bypass the
same-origin policy and read data from cross-site URLs and local files.
(CVE-2015-7214)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Abhishek
Arya, Ronald Crane, and Tsubasa Iinuma as the original reporters of these
issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.5.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.5.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-38.5.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 4021768aa2657c5d34d2323e70973c43
SHA-256: ff412150aed7d32743508136055d8c0ff5652228949dc8fc827b909dadb26f63
 
IA-32:
thunderbird-38.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: abd0ce1150f59099309be2e45374be72
SHA-256: eff6f78bb23b3cadc517c2a28403ec3126f0fb1f7516e76899de994b3981d2a0
thunderbird-debuginfo-38.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: ad72bc171b60163fdb5ed2b3983ea953
SHA-256: b7a51dd8219140ff987e11ce6982e6729cb9d8de017c8deef0846b0db46ec61a
 
x86_64:
thunderbird-38.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8660c31a8b54445137c1e8e3b621e818
SHA-256: 6f677cb1d56f53926b697ece8a3655198bbf90b15d07819a58db7368ddb6c6b8
thunderbird-debuginfo-38.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d53930cb0953f4dc9a1af15cc311b82
SHA-256: 1d4068a07da22e732c82baf1832993273467e159b409a364ca07915b10a1ebc9
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-38.5.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 4021768aa2657c5d34d2323e70973c43
SHA-256: ff412150aed7d32743508136055d8c0ff5652228949dc8fc827b909dadb26f63
 
IA-32:
thunderbird-38.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: abd0ce1150f59099309be2e45374be72
SHA-256: eff6f78bb23b3cadc517c2a28403ec3126f0fb1f7516e76899de994b3981d2a0
thunderbird-debuginfo-38.5.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1809
    MD5: ad72bc171b60163fdb5ed2b3983ea953
SHA-256: b7a51dd8219140ff987e11ce6982e6729cb9d8de017c8deef0846b0db46ec61a
 
x86_64:
thunderbird-38.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8660c31a8b54445137c1e8e3b621e818
SHA-256: 6f677cb1d56f53926b697ece8a3655198bbf90b15d07819a58db7368ddb6c6b8
thunderbird-debuginfo-38.5.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 8d53930cb0953f4dc9a1af15cc311b82
SHA-256: 1d4068a07da22e732c82baf1832993273467e159b409a364ca07915b10a1ebc9
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-38.5.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 97dfd65790bc3ed8ca56ede64ac78d0a
SHA-256: 29581b2542a03fb89b02e64af50d154f72438082b2315d3313a486ee9e90e462
 
IA-32:
thunderbird-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: cc92a5ffb2e5748a5c13590871fb49b4
SHA-256: 0d447086a975711c1a8dd3b077a3230e435b44951e1f2d7ed4406feb1b0b2c82
thunderbird-debuginfo-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 37e5cdb98301c12dc2b19f4a31e63f8e
SHA-256: c5ac4f45d86a67a6c3bcaff6acd8b97bb715507ab9b637a8f583df40557f4d56
 
x86_64:
thunderbird-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 2212d877608c25fff1359eef11c0e8b5
SHA-256: ae302721537a186d13b5339d3b8c23a93efbb7d6c80a0f06d75e12fc7ad790af
thunderbird-debuginfo-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: d3312c4de2ff66e5f5a7e332bf476684
SHA-256: 691945e92890c5710aeedbc1f7497c74733abd13edd5c38c9d4aa1c5fa691dfb
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
thunderbird-38.5.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 7de1cb38e5d0529bf2880b253e108f44
SHA-256: 2896f7d0e0a0bdeb5318c48e1a75f00dc83794238eb63e667a987a892a097541
 
x86_64:
thunderbird-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: aada2955ee52bf5886281613428211be
SHA-256: 5ccebc75de857cf6470ba20022c86ac5d65d4748554fc8a74bbd36af83ac2d19
thunderbird-debuginfo-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 67a689951b895b25138bdf97141042ab
SHA-256: ffb80d1169274cb4e6d30ed79550ab11a61a22fe8197b53bf414d6f17a6e6630
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-38.5.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 97dfd65790bc3ed8ca56ede64ac78d0a
SHA-256: 29581b2542a03fb89b02e64af50d154f72438082b2315d3313a486ee9e90e462
 
IA-32:
thunderbird-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: cc92a5ffb2e5748a5c13590871fb49b4
SHA-256: 0d447086a975711c1a8dd3b077a3230e435b44951e1f2d7ed4406feb1b0b2c82
thunderbird-debuginfo-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 37e5cdb98301c12dc2b19f4a31e63f8e
SHA-256: c5ac4f45d86a67a6c3bcaff6acd8b97bb715507ab9b637a8f583df40557f4d56
 
PPC:
thunderbird-38.5.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 1dc8563579fbf7aae7ed774125a4d831
SHA-256: 57d52f294054e0ebd64b681f21c77a00983963582089116b1f6d6713d807675a
thunderbird-debuginfo-38.5.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1809
    MD5: cfb14385bf9eb4b40a84e4c296b93b9c
SHA-256: 889acbc2368d2fce447c06a172d974ef953631fc61f3bd2681354571321423c3
 
s390x:
thunderbird-38.5.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1809
    MD5: a8e5c318d310d21641606e01ea8f6388
SHA-256: 4c7bd6022e178a83da0ef5f546f07e45bc46e2265f94ba1133389ebbb5f66cc3
thunderbird-debuginfo-38.5.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1809
    MD5: 0ecde401811cd8f8b1874dd56ce18a33
SHA-256: afdd719aa2fe5d4489768ac5623c3b5dc7fcecdc8453dfcf1e81fd8b81fa0453
 
x86_64:
thunderbird-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 2212d877608c25fff1359eef11c0e8b5
SHA-256: ae302721537a186d13b5339d3b8c23a93efbb7d6c80a0f06d75e12fc7ad790af
thunderbird-debuginfo-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: d3312c4de2ff66e5f5a7e332bf476684
SHA-256: 691945e92890c5710aeedbc1f7497c74733abd13edd5c38c9d4aa1c5fa691dfb
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
thunderbird-38.5.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 7de1cb38e5d0529bf2880b253e108f44
SHA-256: 2896f7d0e0a0bdeb5318c48e1a75f00dc83794238eb63e667a987a892a097541
 
PPC64LE:
thunderbird-38.5.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: f5e57e6a31136e5c790ff130ee6dbeb2
SHA-256: 5ee1650a8b4d39da64c48549c243929520935c46cf7f8c1164ad6b2a24e95e45
thunderbird-debuginfo-38.5.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: 5b011e5c0412ce42bae5ad227c8e96df
SHA-256: 8352b62061997fac24a2890000f51cfd906dd8be379df137c38655f060afd32c
 
x86_64:
thunderbird-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: aada2955ee52bf5886281613428211be
SHA-256: 5ccebc75de857cf6470ba20022c86ac5d65d4748554fc8a74bbd36af83ac2d19
thunderbird-debuginfo-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 67a689951b895b25138bdf97141042ab
SHA-256: ffb80d1169274cb4e6d30ed79550ab11a61a22fe8197b53bf414d6f17a6e6630
 
Red Hat Enterprise Linux Server AUS (v. 7.2)

SRPMS:
thunderbird-38.5.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 7de1cb38e5d0529bf2880b253e108f44
SHA-256: 2896f7d0e0a0bdeb5318c48e1a75f00dc83794238eb63e667a987a892a097541
 
x86_64:
thunderbird-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: aada2955ee52bf5886281613428211be
SHA-256: 5ccebc75de857cf6470ba20022c86ac5d65d4748554fc8a74bbd36af83ac2d19
thunderbird-debuginfo-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 67a689951b895b25138bdf97141042ab
SHA-256: ffb80d1169274cb4e6d30ed79550ab11a61a22fe8197b53bf414d6f17a6e6630
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
thunderbird-38.5.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 97dfd65790bc3ed8ca56ede64ac78d0a
SHA-256: 29581b2542a03fb89b02e64af50d154f72438082b2315d3313a486ee9e90e462
 
IA-32:
thunderbird-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: cc92a5ffb2e5748a5c13590871fb49b4
SHA-256: 0d447086a975711c1a8dd3b077a3230e435b44951e1f2d7ed4406feb1b0b2c82
thunderbird-debuginfo-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:0460
    MD5: 37e5cdb98301c12dc2b19f4a31e63f8e
SHA-256: c5ac4f45d86a67a6c3bcaff6acd8b97bb715507ab9b637a8f583df40557f4d56
 
PPC:
thunderbird-38.5.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 1dc8563579fbf7aae7ed774125a4d831
SHA-256: 57d52f294054e0ebd64b681f21c77a00983963582089116b1f6d6713d807675a
thunderbird-debuginfo-38.5.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:0460
    MD5: cfb14385bf9eb4b40a84e4c296b93b9c
SHA-256: 889acbc2368d2fce447c06a172d974ef953631fc61f3bd2681354571321423c3
 
s390x:
thunderbird-38.5.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: a8e5c318d310d21641606e01ea8f6388
SHA-256: 4c7bd6022e178a83da0ef5f546f07e45bc46e2265f94ba1133389ebbb5f66cc3
thunderbird-debuginfo-38.5.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:0460
    MD5: 0ecde401811cd8f8b1874dd56ce18a33
SHA-256: afdd719aa2fe5d4489768ac5623c3b5dc7fcecdc8453dfcf1e81fd8b81fa0453
 
x86_64:
thunderbird-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: 2212d877608c25fff1359eef11c0e8b5
SHA-256: ae302721537a186d13b5339d3b8c23a93efbb7d6c80a0f06d75e12fc7ad790af
thunderbird-debuginfo-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:0460
    MD5: d3312c4de2ff66e5f5a7e332bf476684
SHA-256: 691945e92890c5710aeedbc1f7497c74733abd13edd5c38c9d4aa1c5fa691dfb
 
Red Hat Enterprise Linux Server EUS (v. 7.2)

SRPMS:
thunderbird-38.5.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 7de1cb38e5d0529bf2880b253e108f44
SHA-256: 2896f7d0e0a0bdeb5318c48e1a75f00dc83794238eb63e667a987a892a097541
 
PPC64LE:
thunderbird-38.5.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: f5e57e6a31136e5c790ff130ee6dbeb2
SHA-256: 5ee1650a8b4d39da64c48549c243929520935c46cf7f8c1164ad6b2a24e95e45
thunderbird-debuginfo-38.5.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1809
    MD5: 5b011e5c0412ce42bae5ad227c8e96df
SHA-256: 8352b62061997fac24a2890000f51cfd906dd8be379df137c38655f060afd32c
 
x86_64:
thunderbird-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: aada2955ee52bf5886281613428211be
SHA-256: 5ccebc75de857cf6470ba20022c86ac5d65d4748554fc8a74bbd36af83ac2d19
thunderbird-debuginfo-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 67a689951b895b25138bdf97141042ab
SHA-256: ffb80d1169274cb4e6d30ed79550ab11a61a22fe8197b53bf414d6f17a6e6630
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-38.5.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 97dfd65790bc3ed8ca56ede64ac78d0a
SHA-256: 29581b2542a03fb89b02e64af50d154f72438082b2315d3313a486ee9e90e462
 
IA-32:
thunderbird-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: cc92a5ffb2e5748a5c13590871fb49b4
SHA-256: 0d447086a975711c1a8dd3b077a3230e435b44951e1f2d7ed4406feb1b0b2c82
thunderbird-debuginfo-38.5.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1809
    MD5: 37e5cdb98301c12dc2b19f4a31e63f8e
SHA-256: c5ac4f45d86a67a6c3bcaff6acd8b97bb715507ab9b637a8f583df40557f4d56
 
x86_64:
thunderbird-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 2212d877608c25fff1359eef11c0e8b5
SHA-256: ae302721537a186d13b5339d3b8c23a93efbb7d6c80a0f06d75e12fc7ad790af
thunderbird-debuginfo-38.5.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: d3312c4de2ff66e5f5a7e332bf476684
SHA-256: 691945e92890c5710aeedbc1f7497c74733abd13edd5c38c9d4aa1c5fa691dfb
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
thunderbird-38.5.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1809
    MD5: 7de1cb38e5d0529bf2880b253e108f44
SHA-256: 2896f7d0e0a0bdeb5318c48e1a75f00dc83794238eb63e667a987a892a097541
 
x86_64:
thunderbird-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: aada2955ee52bf5886281613428211be
SHA-256: 5ccebc75de857cf6470ba20022c86ac5d65d4748554fc8a74bbd36af83ac2d19
thunderbird-debuginfo-38.5.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1809
    MD5: 67a689951b895b25138bdf97141042ab
SHA-256: ffb80d1169274cb4e6d30ed79550ab11a61a22fe8197b53bf414d6f17a6e6630
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1291571 - CVE-2015-7201 Mozilla: Miscellaneous memory safety hazards (rv:38.5) (MFSA 2015-134)
1291587 - CVE-2015-7212 Mozilla: Integer overflow allocating extremely large textures (MFSA 2015-139)
1291595 - CVE-2015-7205 Mozilla: Underflow through code inspection (MFSA 2015-145)
1291596 - CVE-2015-7213 Mozilla: Integer overflow in MP4 playback in 64-bit versions (MFSA 2015-146)
1291600 - CVE-2015-7214 Mozilla: Cross-site reading attack through data: and view-source: URIs (MFSA 2015-149)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/