Skip to navigation

Security Advisory Critical: thunderbird security update

Advisory: RHSA-2011:1343-1
Type: Security Advisory
Severity: Critical
Issued on: 2011-09-28
Last updated on: 2011-09-28
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2011-2998
CVE-2011-2999

Details

An updated thunderbird package that fixes two security issues is now
available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

A flaw was found in the way Thunderbird handled frame objects with certain
names. An attacker could use this flaw to cause a plug-in to grant its
content access to another site or the local file system, violating the
same-origin policy. (CVE-2011-2999)

An integer underflow flaw was found in the way Thunderbird handled large
JavaScript regular expressions. An HTML mail message containing malicious
JavaScript could cause Thunderbird to access already freed memory, causing
Thunderbird to crash or, potentially, execute arbitrary code with the
privileges of the user running Thunderbird. (CVE-2011-2998)

All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-2.0.0.24-26.el5_7.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5aa375f27a0c5ed08212131b3bb69f9c
SHA-256: 99004fe6d82765a5b41f3bdb9b9fc5a79252bbc8ac786bc386fced78e9d68f6b
 
IA-32:
thunderbird-2.0.0.24-26.el5_7.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8adaebdc66a8fdc2246b1694f416c95a
SHA-256: 5047551d9aaccb4eb74e00e529e1d3f3ad6e6581679d2db536c77a5a4ff12da5
 
x86_64:
thunderbird-2.0.0.24-26.el5_7.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: e31031e91ba432752d50812219ff0355
SHA-256: e34b6182b5527170fef93b4247a777f195634b1369bf48f77f491888af549fe7
 
Red Hat Desktop (v. 4)

SRPMS:
thunderbird-1.5.0.12-44.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: f6ab08e156c546db4202e99de66d24f6
SHA-256: 5473192067c05ecadf476c7ec5e98a0d884872b590ed44ca634faff5d555d62c
 
IA-32:
thunderbird-1.5.0.12-44.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 1a3174928fd016ac52d96a496b575245
SHA-256: 1f69452a54132a971f89652d2f258d2a3d97e6a9cf6f74e68f0b7e411686b5f1
 
x86_64:
thunderbird-1.5.0.12-44.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 5f59ffb45d28c44e61d5c276c370f504
SHA-256: 1303e231f72c932f4d263e087ab5035358423196776d894e5f66bf1bec927662
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
thunderbird-1.5.0.12-44.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: f6ab08e156c546db4202e99de66d24f6
SHA-256: 5473192067c05ecadf476c7ec5e98a0d884872b590ed44ca634faff5d555d62c
 
IA-32:
thunderbird-1.5.0.12-44.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 1a3174928fd016ac52d96a496b575245
SHA-256: 1f69452a54132a971f89652d2f258d2a3d97e6a9cf6f74e68f0b7e411686b5f1
 
IA-64:
thunderbird-1.5.0.12-44.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: b391e18426fec4f2655a50fcb521281c
SHA-256: 340323fb4627f9f72f141ebb5fe13a079bd7e1066782c02a8620919148155788
 
PPC:
thunderbird-1.5.0.12-44.el4.ppc.rpm
File outdated by:  RHSA-2012:0085
    MD5: 6a153a6e3677eaa4e4e438b52236ff72
SHA-256: 1560e535786f0ed9f28e67c8157e2a08f2c7f6d71471a6a5fe2952816bdc217f
 
s390:
thunderbird-1.5.0.12-44.el4.s390.rpm
File outdated by:  RHSA-2012:0085
    MD5: a7c258b4ccc6933df7b61810f4b2cf9b
SHA-256: 14b1a0297b65094a0f7d14013a4dd9801a9ee07d3cb7c5f4eb07ab3ee2c0c77a
 
s390x:
thunderbird-1.5.0.12-44.el4.s390x.rpm
File outdated by:  RHSA-2012:0085
    MD5: 631bdddd96f5703b5b1916600891ba35
SHA-256: 9cd29f43edc2eb35f91729d09797b42da7544b1f50f5336f0ab70ebf03487cfe
 
x86_64:
thunderbird-1.5.0.12-44.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 5f59ffb45d28c44e61d5c276c370f504
SHA-256: 1303e231f72c932f4d263e087ab5035358423196776d894e5f66bf1bec927662
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-2.0.0.24-26.el5_7.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5aa375f27a0c5ed08212131b3bb69f9c
SHA-256: 99004fe6d82765a5b41f3bdb9b9fc5a79252bbc8ac786bc386fced78e9d68f6b
 
IA-32:
thunderbird-2.0.0.24-26.el5_7.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8adaebdc66a8fdc2246b1694f416c95a
SHA-256: 5047551d9aaccb4eb74e00e529e1d3f3ad6e6581679d2db536c77a5a4ff12da5
 
x86_64:
thunderbird-2.0.0.24-26.el5_7.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: e31031e91ba432752d50812219ff0355
SHA-256: e34b6182b5527170fef93b4247a777f195634b1369bf48f77f491888af549fe7
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
thunderbird-1.5.0.12-44.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: f6ab08e156c546db4202e99de66d24f6
SHA-256: 5473192067c05ecadf476c7ec5e98a0d884872b590ed44ca634faff5d555d62c
 
IA-32:
thunderbird-1.5.0.12-44.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 1a3174928fd016ac52d96a496b575245
SHA-256: 1f69452a54132a971f89652d2f258d2a3d97e6a9cf6f74e68f0b7e411686b5f1
 
IA-64:
thunderbird-1.5.0.12-44.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: b391e18426fec4f2655a50fcb521281c
SHA-256: 340323fb4627f9f72f141ebb5fe13a079bd7e1066782c02a8620919148155788
 
x86_64:
thunderbird-1.5.0.12-44.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 5f59ffb45d28c44e61d5c276c370f504
SHA-256: 1303e231f72c932f4d263e087ab5035358423196776d894e5f66bf1bec927662
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
thunderbird-1.5.0.12-44.el4.src.rpm
File outdated by:  RHSA-2012:0085
    MD5: f6ab08e156c546db4202e99de66d24f6
SHA-256: 5473192067c05ecadf476c7ec5e98a0d884872b590ed44ca634faff5d555d62c
 
IA-32:
thunderbird-1.5.0.12-44.el4.i386.rpm
File outdated by:  RHSA-2012:0085
    MD5: 1a3174928fd016ac52d96a496b575245
SHA-256: 1f69452a54132a971f89652d2f258d2a3d97e6a9cf6f74e68f0b7e411686b5f1
 
IA-64:
thunderbird-1.5.0.12-44.el4.ia64.rpm
File outdated by:  RHSA-2012:0085
    MD5: b391e18426fec4f2655a50fcb521281c
SHA-256: 340323fb4627f9f72f141ebb5fe13a079bd7e1066782c02a8620919148155788
 
x86_64:
thunderbird-1.5.0.12-44.el4.x86_64.rpm
File outdated by:  RHSA-2012:0085
    MD5: 5f59ffb45d28c44e61d5c276c370f504
SHA-256: 1303e231f72c932f4d263e087ab5035358423196776d894e5f66bf1bec927662
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

741904 - CVE-2011-2999 Mozilla: XSS via plugins and shadowed window.location object (MFSA 2011-38)
741924 - CVE-2011-2998 Mozilla: Integer underflow when using JavaScript RegExp (MFSA 2011-37)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/