Red Hat Customer Portal

Skip to main content

Security Advisory Important: thunderbird security update

Advisory: RHSA-2016:0460-1
Type: Security Advisory
Severity: Important
Issued on: 2016-03-16
Last updated on: 2016-03-16
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server AUS (v. 7.2)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Server EUS (v. 7.2)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2016-1952
CVE-2016-1954
CVE-2016-1957
CVE-2016-1960
CVE-2016-1961
CVE-2016-1964
CVE-2016-1966
CVE-2016-1974
CVE-2016-1977
CVE-2016-2790
CVE-2016-2791
CVE-2016-2792
CVE-2016-2793
CVE-2016-2794
CVE-2016-2795
CVE-2016-2796
CVE-2016-2797
CVE-2016-2798
CVE-2016-2799
CVE-2016-2800
CVE-2016-2801
CVE-2016-2802

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960,
CVE-2016-1961, CVE-2016-1974, CVE-2016-1964, CVE-2016-1966)

Multiple security flaws were found in the graphite2 font library shipped
with Thunderbird. A web page containing malicious content could cause
Thunderbird to crash or, potentially, execute arbitrary code with the
privileges of the user running Thunderbird. (CVE-2016-1977, CVE-2016-2790,
CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795,
CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800,
CVE-2016-2801, CVE-2016-2802)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christoph Diehl, Christian Holler, Andrew
McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Nicolas
Golubovic, Jose Martinez, Romina Santillan, ca0nguyen, lokihardt, Nicolas
Grégoire, the Communications Electronics Security Group (UK) of the GCHQ,
Holger Fuhrmannek, Ronald Crane, and Tyson Smith as the original reporters
of these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.7.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.7.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-38.7.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: f28715c9610c4d5068bba19aa5ce2cb9
SHA-256: 1642810421557eb8a2115446a4aa0ef806783371daccd3d52b8c6bc642a1570b
 
IA-32:
thunderbird-38.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 5b2d1160a391f9022e198035ad1b43b5
SHA-256: 460bab283738c26d47a865b12ac4792dccf6160d1e9d414ace2e75a0303e7dc7
thunderbird-debuginfo-38.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 47d76a1490d71dfef03231e92df98be8
SHA-256: 84fb07d55e3affe7f0ae5fd009506dac92eb7321ebf30e09776c28a66659f468
 
x86_64:
thunderbird-38.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: e6b9fa6559982d04e8f2323f8195f304
SHA-256: 72c3d1ba7ef53979a45fe6c20a10aeea3eeb0d3c46380e868b2c31082bf4b38b
thunderbird-debuginfo-38.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 8681d3091e4ed2a2495a4fc8d9e055ae
SHA-256: 16aab7b8662c7a5da4293dda89e1679ce2934492dce9662deea23363634ab615
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-38.7.0-1.el5_11.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: f28715c9610c4d5068bba19aa5ce2cb9
SHA-256: 1642810421557eb8a2115446a4aa0ef806783371daccd3d52b8c6bc642a1570b
 
IA-32:
thunderbird-38.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 5b2d1160a391f9022e198035ad1b43b5
SHA-256: 460bab283738c26d47a865b12ac4792dccf6160d1e9d414ace2e75a0303e7dc7
thunderbird-debuginfo-38.7.0-1.el5_11.i386.rpm
File outdated by:  RHSA-2016:1041
    MD5: 47d76a1490d71dfef03231e92df98be8
SHA-256: 84fb07d55e3affe7f0ae5fd009506dac92eb7321ebf30e09776c28a66659f468
 
x86_64:
thunderbird-38.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: e6b9fa6559982d04e8f2323f8195f304
SHA-256: 72c3d1ba7ef53979a45fe6c20a10aeea3eeb0d3c46380e868b2c31082bf4b38b
thunderbird-debuginfo-38.7.0-1.el5_11.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 8681d3091e4ed2a2495a4fc8d9e055ae
SHA-256: 16aab7b8662c7a5da4293dda89e1679ce2934492dce9662deea23363634ab615
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-38.7.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3a643095407a913f845f81f7a4a7c15f
SHA-256: 2a515f4db3330985722f5f49ff343cff672c55091212c241e6f92442137eb3e2
 
IA-32:
thunderbird-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: b9110b803d0618ca8903d2cd3337d0c1
SHA-256: 4495a2d94948ee4e15c64e3a47746c32787e14d5994d2a5a13d755fa80eb762f
thunderbird-debuginfo-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 4a30d8c1616ea070b49b686880f33166
SHA-256: 81fa2927d310c578363436a433c0b4bba0e702314bf9dbada337d6f1c45b13d8
 
x86_64:
thunderbird-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 68e9d0cd2bc6edbf2b0d431d0f97993d
SHA-256: 2f8f4938767e646c943671dddd104ca9fce88aaa95a967393b22b76a0cfb32e4
thunderbird-debuginfo-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 077d90a4b61a2a96c84bc52ef4f4c016
SHA-256: cec8a75e2b24a9fb9bae60c97ef3acbcee9cf7a0d0647f0a712ab6da7e139914
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
thunderbird-38.7.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 32d7956cf58362ce9bd356cccf4abbf1
SHA-256: d1abd0c26f6d0523578a779b7974a7123d68a0b9cdfa044756cf422edf558bde
 
x86_64:
thunderbird-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: dba849279528ea8b047f222c6d708acf
SHA-256: f26a3d7b8167578d316e422cecf21f3a2271b1421a4a7f298abaa847399ad339
thunderbird-debuginfo-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 1de21840d201064feb65b9a58f7382dc
SHA-256: 95b6784b7cac26aa0faee79d8c69ebf3d0bc4a5ba01da26949c265d7e1674a1e
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-38.7.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3a643095407a913f845f81f7a4a7c15f
SHA-256: 2a515f4db3330985722f5f49ff343cff672c55091212c241e6f92442137eb3e2
 
IA-32:
thunderbird-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: b9110b803d0618ca8903d2cd3337d0c1
SHA-256: 4495a2d94948ee4e15c64e3a47746c32787e14d5994d2a5a13d755fa80eb762f
thunderbird-debuginfo-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 4a30d8c1616ea070b49b686880f33166
SHA-256: 81fa2927d310c578363436a433c0b4bba0e702314bf9dbada337d6f1c45b13d8
 
PPC:
thunderbird-38.7.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 105bbaf078144edf462871a334c0b8c6
SHA-256: 23395d3aa509c4b76030d6804b5b42add92004ef9424cb97d54a2f9c6b1f4648
thunderbird-debuginfo-38.7.0-1.el6_7.ppc64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 7a056f1aa0d60abd6a1fbda4a71ade5c
SHA-256: 0f864a5b3f2d664d79f47772178953796f0a18a4d127db161b050b05d4273720
 
s390x:
thunderbird-38.7.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1041
    MD5: 944278868a3d4502c3029a97a496b3a5
SHA-256: f715886fca9f33197e0324d7f7fc034dc6c2844424dd0c2a000a4a1423a2076f
thunderbird-debuginfo-38.7.0-1.el6_7.s390x.rpm
File outdated by:  RHSA-2016:1041
    MD5: dbdf9feabb4a36ccfb388f0df6b86d78
SHA-256: 936d0de78acb727109ffa26221e5890777ed89679e72d8b96eb0ee6b94775715
 
x86_64:
thunderbird-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 68e9d0cd2bc6edbf2b0d431d0f97993d
SHA-256: 2f8f4938767e646c943671dddd104ca9fce88aaa95a967393b22b76a0cfb32e4
thunderbird-debuginfo-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 077d90a4b61a2a96c84bc52ef4f4c016
SHA-256: cec8a75e2b24a9fb9bae60c97ef3acbcee9cf7a0d0647f0a712ab6da7e139914
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
thunderbird-38.7.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 32d7956cf58362ce9bd356cccf4abbf1
SHA-256: d1abd0c26f6d0523578a779b7974a7123d68a0b9cdfa044756cf422edf558bde
 
PPC64LE:
thunderbird-38.7.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1041
    MD5: a52c29704892158908701855cb8ed48d
SHA-256: 61e93a1a919627717e444490320d8258e5832bcfe401fa364da28a21f79db480
thunderbird-debuginfo-38.7.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1041
    MD5: a59815f8ff7b700c7e6e7cf7714cfdc6
SHA-256: 16d5c46bfca13f1c2194a041b0230c0c1048ec630f35c96b33932577dcedbd4a
 
x86_64:
thunderbird-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: dba849279528ea8b047f222c6d708acf
SHA-256: f26a3d7b8167578d316e422cecf21f3a2271b1421a4a7f298abaa847399ad339
thunderbird-debuginfo-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 1de21840d201064feb65b9a58f7382dc
SHA-256: 95b6784b7cac26aa0faee79d8c69ebf3d0bc4a5ba01da26949c265d7e1674a1e
 
Red Hat Enterprise Linux Server AUS (v. 7.2)

SRPMS:
thunderbird-38.7.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 32d7956cf58362ce9bd356cccf4abbf1
SHA-256: d1abd0c26f6d0523578a779b7974a7123d68a0b9cdfa044756cf422edf558bde
 
x86_64:
thunderbird-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: dba849279528ea8b047f222c6d708acf
SHA-256: f26a3d7b8167578d316e422cecf21f3a2271b1421a4a7f298abaa847399ad339
thunderbird-debuginfo-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 1de21840d201064feb65b9a58f7382dc
SHA-256: 95b6784b7cac26aa0faee79d8c69ebf3d0bc4a5ba01da26949c265d7e1674a1e
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
thunderbird-38.7.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3a643095407a913f845f81f7a4a7c15f
SHA-256: 2a515f4db3330985722f5f49ff343cff672c55091212c241e6f92442137eb3e2
 
IA-32:
thunderbird-38.7.0-1.el6_7.i686.rpm     MD5: b9110b803d0618ca8903d2cd3337d0c1
SHA-256: 4495a2d94948ee4e15c64e3a47746c32787e14d5994d2a5a13d755fa80eb762f
thunderbird-debuginfo-38.7.0-1.el6_7.i686.rpm     MD5: 4a30d8c1616ea070b49b686880f33166
SHA-256: 81fa2927d310c578363436a433c0b4bba0e702314bf9dbada337d6f1c45b13d8
 
PPC:
thunderbird-38.7.0-1.el6_7.ppc64.rpm     MD5: 105bbaf078144edf462871a334c0b8c6
SHA-256: 23395d3aa509c4b76030d6804b5b42add92004ef9424cb97d54a2f9c6b1f4648
thunderbird-debuginfo-38.7.0-1.el6_7.ppc64.rpm     MD5: 7a056f1aa0d60abd6a1fbda4a71ade5c
SHA-256: 0f864a5b3f2d664d79f47772178953796f0a18a4d127db161b050b05d4273720
 
s390x:
thunderbird-38.7.0-1.el6_7.s390x.rpm     MD5: 944278868a3d4502c3029a97a496b3a5
SHA-256: f715886fca9f33197e0324d7f7fc034dc6c2844424dd0c2a000a4a1423a2076f
thunderbird-debuginfo-38.7.0-1.el6_7.s390x.rpm     MD5: dbdf9feabb4a36ccfb388f0df6b86d78
SHA-256: 936d0de78acb727109ffa26221e5890777ed89679e72d8b96eb0ee6b94775715
 
x86_64:
thunderbird-38.7.0-1.el6_7.x86_64.rpm     MD5: 68e9d0cd2bc6edbf2b0d431d0f97993d
SHA-256: 2f8f4938767e646c943671dddd104ca9fce88aaa95a967393b22b76a0cfb32e4
thunderbird-debuginfo-38.7.0-1.el6_7.x86_64.rpm     MD5: 077d90a4b61a2a96c84bc52ef4f4c016
SHA-256: cec8a75e2b24a9fb9bae60c97ef3acbcee9cf7a0d0647f0a712ab6da7e139914
 
Red Hat Enterprise Linux Server EUS (v. 7.2)

SRPMS:
thunderbird-38.7.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 32d7956cf58362ce9bd356cccf4abbf1
SHA-256: d1abd0c26f6d0523578a779b7974a7123d68a0b9cdfa044756cf422edf558bde
 
PPC64LE:
thunderbird-38.7.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1041
    MD5: a52c29704892158908701855cb8ed48d
SHA-256: 61e93a1a919627717e444490320d8258e5832bcfe401fa364da28a21f79db480
thunderbird-debuginfo-38.7.0-1.el7_2.ppc64le.rpm
File outdated by:  RHSA-2016:1041
    MD5: a59815f8ff7b700c7e6e7cf7714cfdc6
SHA-256: 16d5c46bfca13f1c2194a041b0230c0c1048ec630f35c96b33932577dcedbd4a
 
x86_64:
thunderbird-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: dba849279528ea8b047f222c6d708acf
SHA-256: f26a3d7b8167578d316e422cecf21f3a2271b1421a4a7f298abaa847399ad339
thunderbird-debuginfo-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 1de21840d201064feb65b9a58f7382dc
SHA-256: 95b6784b7cac26aa0faee79d8c69ebf3d0bc4a5ba01da26949c265d7e1674a1e
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-38.7.0-1.el6_7.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 3a643095407a913f845f81f7a4a7c15f
SHA-256: 2a515f4db3330985722f5f49ff343cff672c55091212c241e6f92442137eb3e2
 
IA-32:
thunderbird-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: b9110b803d0618ca8903d2cd3337d0c1
SHA-256: 4495a2d94948ee4e15c64e3a47746c32787e14d5994d2a5a13d755fa80eb762f
thunderbird-debuginfo-38.7.0-1.el6_7.i686.rpm
File outdated by:  RHSA-2016:1041
    MD5: 4a30d8c1616ea070b49b686880f33166
SHA-256: 81fa2927d310c578363436a433c0b4bba0e702314bf9dbada337d6f1c45b13d8
 
x86_64:
thunderbird-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 68e9d0cd2bc6edbf2b0d431d0f97993d
SHA-256: 2f8f4938767e646c943671dddd104ca9fce88aaa95a967393b22b76a0cfb32e4
thunderbird-debuginfo-38.7.0-1.el6_7.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 077d90a4b61a2a96c84bc52ef4f4c016
SHA-256: cec8a75e2b24a9fb9bae60c97ef3acbcee9cf7a0d0647f0a712ab6da7e139914
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
thunderbird-38.7.0-1.el7_2.src.rpm
File outdated by:  RHSA-2016:1041
    MD5: 32d7956cf58362ce9bd356cccf4abbf1
SHA-256: d1abd0c26f6d0523578a779b7974a7123d68a0b9cdfa044756cf422edf558bde
 
x86_64:
thunderbird-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: dba849279528ea8b047f222c6d708acf
SHA-256: f26a3d7b8167578d316e422cecf21f3a2271b1421a4a7f298abaa847399ad339
thunderbird-debuginfo-38.7.0-1.el7_2.x86_64.rpm
File outdated by:  RHSA-2016:1041
    MD5: 1de21840d201064feb65b9a58f7382dc
SHA-256: 95b6784b7cac26aa0faee79d8c69ebf3d0bc4a5ba01da26949c265d7e1674a1e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1315566 - CVE-2016-1952 Mozilla: Miscellaneous memory safety hazards (rv:38.7) (MFSA 2016-16)
1315569 - CVE-2016-1954 Mozilla: Local file overwriting and potential privilege escalation through CSP reports (MFSA 2016-17)
1315573 - CVE-2016-1957 Mozilla: Memory leak in libstagefright when deleting an array during MP4 processing (MFSA 2016-20)
1315576 - CVE-2016-1960 Mozilla: Use-after-free in HTML5 string parser (MFSA 2016-23)
1315577 - CVE-2016-1961 Mozilla: Use-after-free in SetBody (MFSA 2016-24)
1315774 - CVE-2016-1964 Mozilla: Use-after-free during XML transformations (MFSA 2016-27)
1315778 - CVE-2016-1966 Mozilla: Memory corruption with malicious NPAPI plugin (MFSA 2016-31)
1315785 - CVE-2016-1974 Mozilla: Out-of-bounds read in HTML parser following a failed allocation (MFSA 2016-34)
1315795 - graphite2: multiple font parsing vulnerabilities (Mozilla MFSA 2016-37)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/