Skip to navigation

Security Advisory Moderate: thunderbird security update

Advisory: RHSA-2008:0209-3
Type: Security Advisory
Severity: Moderate
Issued on: 2008-04-03
Last updated on: 2008-04-03
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
RHEL Optional Productivity Applications EUS (v. 5.1.z server)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.6.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.6.z)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2008-1233
CVE-2008-1234
CVE-2008-1235
CVE-2008-1236
CVE-2008-1237
CVE-2008-1238
CVE-2008-1241

Details

Updated thunderbird packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of some malformed HTML mail
content. An HTML mail message containing such malicious content could cause
Thunderbird to crash or, potentially, execute arbitrary code as the user
running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236,
CVE-2008-1237)

Several flaws were found in the display of malformed web content. An HTML
mail message containing specially-crafted content could, potentially, trick
a user into surrendering sensitive information. (CVE-2008-1234,
CVE-2008-1238, CVE-2008-1241)

Note: JavaScript support is disabled by default in Thunderbird; the above
issues are not exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to these updated packages, which
contain backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-1.5.0.12-11.el5_1.src.rpm
File outdated by:  RHSA-2008:0224
    MD5: d8c428e89bc4c296618d88bd96bb6057
 
IA-32:
thunderbird-1.5.0.12-11.el5_1.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2f37c7a5f275f0280c9e9dad0ee6b018
 
x86_64:
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7900e28635289079cd2a446f7d2dfd01
 
RHEL Optional Productivity Applications EUS (v. 5.1.z server)

SRPMS:
thunderbird-1.5.0.12-11.el5_1.src.rpm
File outdated by:  RHSA-2008:0224
    MD5: d8c428e89bc4c296618d88bd96bb6057
 
IA-32:
thunderbird-1.5.0.12-11.el5_1.i386.rpm
File outdated by:  RHSA-2008:0224
    MD5: 2f37c7a5f275f0280c9e9dad0ee6b018
 
x86_64:
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm
File outdated by:  RHSA-2008:0224
    MD5: 7900e28635289079cd2a446f7d2dfd01
 
Red Hat Desktop (v. 4)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 3963732ebac4f146e2db0938cc475df0
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
IA-64:
thunderbird-1.5.0.12-10.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 36db0db81e4fb31fcfe1ef9508710511
 
PPC:
thunderbird-1.5.0.12-10.el4.ppc.rpm
File outdated by:  RHSA-2012:0085
    MD5: 109f75e044ae9fd538d94b2075708fd4
 
s390:
thunderbird-1.5.0.12-10.el4.s390.rpm
File outdated by:  RHSA-2012:0085
    MD5: 55019ec6f207a717731ae3e633093f77
 
s390x:
thunderbird-1.5.0.12-10.el4.s390x.rpm
File outdated by:  RHSA-2012:0085
    MD5: 8dce42bdc50e820a55989364b48ea337
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 3963732ebac4f146e2db0938cc475df0
 
Red Hat Enterprise Linux AS (v. 4.6.z)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2008:0616
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
IA-64:
thunderbird-1.5.0.12-10.el4.ia64.rpm
File outdated by:  RHSA-2008:0616
    MD5: 36db0db81e4fb31fcfe1ef9508710511
 
PPC:
thunderbird-1.5.0.12-10.el4.ppc.rpm
File outdated by:  RHSA-2008:0616
    MD5: 109f75e044ae9fd538d94b2075708fd4
 
s390:
thunderbird-1.5.0.12-10.el4.s390.rpm
File outdated by:  RHSA-2008:0616
    MD5: 55019ec6f207a717731ae3e633093f77
 
s390x:
thunderbird-1.5.0.12-10.el4.s390x.rpm
File outdated by:  RHSA-2008:0616
    MD5: 8dce42bdc50e820a55989364b48ea337
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2008:0616
    MD5: 3963732ebac4f146e2db0938cc475df0
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-1.5.0.12-11.el5_1.src.rpm
File outdated by:  RHSA-2008:0224
    MD5: d8c428e89bc4c296618d88bd96bb6057
 
IA-32:
thunderbird-1.5.0.12-11.el5_1.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2f37c7a5f275f0280c9e9dad0ee6b018
 
x86_64:
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7900e28635289079cd2a446f7d2dfd01
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
IA-64:
thunderbird-1.5.0.12-10.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 36db0db81e4fb31fcfe1ef9508710511
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 3963732ebac4f146e2db0938cc475df0
 
Red Hat Enterprise Linux ES (v. 4.6.z)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2008:0616
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
IA-64:
thunderbird-1.5.0.12-10.el4.ia64.rpm
File outdated by:  RHSA-2008:0616
    MD5: 36db0db81e4fb31fcfe1ef9508710511
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2008:0616
    MD5: 3963732ebac4f146e2db0938cc475df0
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
thunderbird-1.5.0.12-10.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: a250e7f831249d0715118277888f90f3
 
IA-32:
thunderbird-1.5.0.12-10.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 43e53a178cd5b8ba73ea21917ee15776
 
IA-64:
thunderbird-1.5.0.12-10.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 36db0db81e4fb31fcfe1ef9508710511
 
x86_64:
thunderbird-1.5.0.12-10.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 3963732ebac4f146e2db0938cc475df0
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

438713 - CVE-2008-1233 Mozilla products XPCNativeWrapper pollution
438715 - CVE-2008-1234 universal XSS using event handlers
438717 - CVE-2008-1235 chrome privilege via wrong principal
438718 - CVE-2008-1236 browser engine crashes
438721 - CVE-2008-1237 javascript crashes
438724 - CVE-2008-1238 Referrer spoofing bug
438730 - CVE-2008-1241 XUL popup spoofing


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/