Skip to navigation

Security Advisory Critical: thunderbird security update

Advisory: RHSA-2013:0272-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-02-19
Last updated on: 2013-02-19
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
RHEL Optional Productivity Applications EUS (v. 5.9.z server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.3.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-0775
CVE-2013-0776
CVE-2013-0780
CVE-2013-0782
CVE-2013-0783

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-0775,
CVE-2013-0780, CVE-2013-0782, CVE-2013-0783)

It was found that, after canceling a proxy server's authentication
prompt, the address bar continued to show the requested site's address. An
attacker could use this flaw to conduct phishing attacks by tricking a
user into believing they are viewing trusted content. (CVE-2013-0776)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Nils, Abhishek Arya, Olli Pettay, Christoph Diehl,
Gary Kwong, Jesse Ruderman, Andrew McCreight, Joe Drew, Wayne Mery, and
Michal Zalewski as the original reporters of these issues.

Note: All issues cannot be exploited by a specially-crafted HTML mail
message as JavaScript is disabled by default for mail messages. They could
be exploited another way in Thunderbird, for example, when viewing the full
remote content of an RSS feed.

Important: This erratum upgrades Thunderbird to version 17.0.3 ESR.
Thunderbird 17 is not completely backwards-compatible with all Mozilla
add-ons and Thunderbird plug-ins that worked with Thunderbird 10.0.
Thunderbird 17 checks compatibility on first-launch, and, depending on the
individual configuration and the installed add-ons and plug-ins, may
disable said Add-ons and plug-ins, or attempt to check for updates and
upgrade them. Add-ons and plug-ins may have to be manually updated.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 17.0.3 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-17.0.3-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: c75291f21348a70c9e4418de086b5349
SHA-256: f9df3dab9a87e7db4e026a5d136d83ea667999f97d89f333daa897e719848c4c
 
IA-32:
thunderbird-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: c22b4ee0e236d1f6077a491c5b054d7d
SHA-256: 29a7b534b9d861913d3cfa7e3e66a899baaeb9c011015945a869e01ef864580e
thunderbird-debuginfo-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 19bd0265a9f558ef4dbf7ed9fdb8f6a4
SHA-256: 661140a0098cc310927570f7e72223853a5d036b67744049a8ab762eab754c53
 
x86_64:
thunderbird-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8193b7b5a11b9f81e0210a831e5a23c0
SHA-256: 12fbecdb01943ec39e9a6f129a9c5a71e920c81f97c400421893be5d0d76450a
thunderbird-debuginfo-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 359eb9ecc655411427fd903104f1cf5a
SHA-256: dd3c23656be2fccbdc4906a712e03d7062b30f826085d5cad6ddfe6c1046017d
 
RHEL Optional Productivity Applications EUS (v. 5.9.z server)

SRPMS:
thunderbird-17.0.3-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: c75291f21348a70c9e4418de086b5349
SHA-256: f9df3dab9a87e7db4e026a5d136d83ea667999f97d89f333daa897e719848c4c
 
IA-32:
thunderbird-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: c22b4ee0e236d1f6077a491c5b054d7d
SHA-256: 29a7b534b9d861913d3cfa7e3e66a899baaeb9c011015945a869e01ef864580e
thunderbird-debuginfo-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: 19bd0265a9f558ef4dbf7ed9fdb8f6a4
SHA-256: 661140a0098cc310927570f7e72223853a5d036b67744049a8ab762eab754c53
 
x86_64:
thunderbird-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 8193b7b5a11b9f81e0210a831e5a23c0
SHA-256: 12fbecdb01943ec39e9a6f129a9c5a71e920c81f97c400421893be5d0d76450a
thunderbird-debuginfo-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 359eb9ecc655411427fd903104f1cf5a
SHA-256: dd3c23656be2fccbdc4906a712e03d7062b30f826085d5cad6ddfe6c1046017d
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-17.0.3-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: c75291f21348a70c9e4418de086b5349
SHA-256: f9df3dab9a87e7db4e026a5d136d83ea667999f97d89f333daa897e719848c4c
 
IA-32:
thunderbird-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: c22b4ee0e236d1f6077a491c5b054d7d
SHA-256: 29a7b534b9d861913d3cfa7e3e66a899baaeb9c011015945a869e01ef864580e
thunderbird-debuginfo-17.0.3-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 19bd0265a9f558ef4dbf7ed9fdb8f6a4
SHA-256: 661140a0098cc310927570f7e72223853a5d036b67744049a8ab762eab754c53
 
x86_64:
thunderbird-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8193b7b5a11b9f81e0210a831e5a23c0
SHA-256: 12fbecdb01943ec39e9a6f129a9c5a71e920c81f97c400421893be5d0d76450a
thunderbird-debuginfo-17.0.3-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 359eb9ecc655411427fd903104f1cf5a
SHA-256: dd3c23656be2fccbdc4906a712e03d7062b30f826085d5cad6ddfe6c1046017d
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-17.0.3-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: f24e76c751317d3d3e99f75f76cd1646
SHA-256: d26da405c3cac5280c9e0cc18852673cb9dca75e87f51edc46187b027b35912e
 
IA-32:
thunderbird-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5f7a6a37025c8553e6aef7dbd034bb8d
SHA-256: 6dd3d0968fab8ed9276ad1a59068be78c4c361df09fd8f4e2bbe1d532096dd0c
thunderbird-debuginfo-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7fb22af77db7f2f8af0dbcc038bd1587
SHA-256: e392053bc3bf59f1b25834804121027efb3e82f9ad3ccd609363da081da591ac
 
x86_64:
thunderbird-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 9f4bb47d1962e02d27a366c289319484
SHA-256: c755c6feb4db5fca41572b1f8bd947e0f3865aeba7bd11d8c3238684c2690893
thunderbird-debuginfo-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: a59cc6562038075d9586d6efdf2e4094
SHA-256: e61c634194279f6fed6bc4a2274e66ca1b91823f821ec4fcf4006b9cc6e2d330
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-17.0.3-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: f24e76c751317d3d3e99f75f76cd1646
SHA-256: d26da405c3cac5280c9e0cc18852673cb9dca75e87f51edc46187b027b35912e
 
IA-32:
thunderbird-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5f7a6a37025c8553e6aef7dbd034bb8d
SHA-256: 6dd3d0968fab8ed9276ad1a59068be78c4c361df09fd8f4e2bbe1d532096dd0c
thunderbird-debuginfo-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7fb22af77db7f2f8af0dbcc038bd1587
SHA-256: e392053bc3bf59f1b25834804121027efb3e82f9ad3ccd609363da081da591ac
 
PPC:
thunderbird-17.0.3-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 163d342119c8ad10cca19e68de69d639
SHA-256: 48666ab300b8b1b9c5197a4cb67561d36262c9df3b8d50897c4801dc437db4a2
thunderbird-debuginfo-17.0.3-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 70c47ce3b7b4265a10815d089ecfb4a0
SHA-256: 32e31d32c103ffb555f5400b2ca886844890a1a8bf1c267187b627bf37696463
 
s390x:
thunderbird-17.0.3-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: e91ef519124afa2c2a5c535853d1da9a
SHA-256: ea6a12817bf339bbfc25685e95bf70245fe2f5e1bbfa3790fe52833e06323aed
thunderbird-debuginfo-17.0.3-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0319ac8aedea3e9a6efeecb3f2e62e23
SHA-256: f2a8762e3aeb4d9712adbf0e7f4396436db5431dda9915a498ee63f5f65b28fe
 
x86_64:
thunderbird-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 9f4bb47d1962e02d27a366c289319484
SHA-256: c755c6feb4db5fca41572b1f8bd947e0f3865aeba7bd11d8c3238684c2690893
thunderbird-debuginfo-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: a59cc6562038075d9586d6efdf2e4094
SHA-256: e61c634194279f6fed6bc4a2274e66ca1b91823f821ec4fcf4006b9cc6e2d330
 
Red Hat Enterprise Linux Server EUS (v. 6.3.z)

SRPMS:
thunderbird-17.0.3-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: f24e76c751317d3d3e99f75f76cd1646
SHA-256: d26da405c3cac5280c9e0cc18852673cb9dca75e87f51edc46187b027b35912e
 
IA-32:
thunderbird-17.0.3-1.el6_3.i686.rpm     MD5: 5f7a6a37025c8553e6aef7dbd034bb8d
SHA-256: 6dd3d0968fab8ed9276ad1a59068be78c4c361df09fd8f4e2bbe1d532096dd0c
thunderbird-debuginfo-17.0.3-1.el6_3.i686.rpm     MD5: 7fb22af77db7f2f8af0dbcc038bd1587
SHA-256: e392053bc3bf59f1b25834804121027efb3e82f9ad3ccd609363da081da591ac
 
PPC:
thunderbird-17.0.3-1.el6_3.ppc64.rpm     MD5: 163d342119c8ad10cca19e68de69d639
SHA-256: 48666ab300b8b1b9c5197a4cb67561d36262c9df3b8d50897c4801dc437db4a2
thunderbird-debuginfo-17.0.3-1.el6_3.ppc64.rpm     MD5: 70c47ce3b7b4265a10815d089ecfb4a0
SHA-256: 32e31d32c103ffb555f5400b2ca886844890a1a8bf1c267187b627bf37696463
 
s390x:
thunderbird-17.0.3-1.el6_3.s390x.rpm     MD5: e91ef519124afa2c2a5c535853d1da9a
SHA-256: ea6a12817bf339bbfc25685e95bf70245fe2f5e1bbfa3790fe52833e06323aed
thunderbird-debuginfo-17.0.3-1.el6_3.s390x.rpm     MD5: 0319ac8aedea3e9a6efeecb3f2e62e23
SHA-256: f2a8762e3aeb4d9712adbf0e7f4396436db5431dda9915a498ee63f5f65b28fe
 
x86_64:
thunderbird-17.0.3-1.el6_3.x86_64.rpm     MD5: 9f4bb47d1962e02d27a366c289319484
SHA-256: c755c6feb4db5fca41572b1f8bd947e0f3865aeba7bd11d8c3238684c2690893
thunderbird-debuginfo-17.0.3-1.el6_3.x86_64.rpm     MD5: a59cc6562038075d9586d6efdf2e4094
SHA-256: e61c634194279f6fed6bc4a2274e66ca1b91823f821ec4fcf4006b9cc6e2d330
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-17.0.3-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: f24e76c751317d3d3e99f75f76cd1646
SHA-256: d26da405c3cac5280c9e0cc18852673cb9dca75e87f51edc46187b027b35912e
 
IA-32:
thunderbird-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5f7a6a37025c8553e6aef7dbd034bb8d
SHA-256: 6dd3d0968fab8ed9276ad1a59068be78c4c361df09fd8f4e2bbe1d532096dd0c
thunderbird-debuginfo-17.0.3-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7fb22af77db7f2f8af0dbcc038bd1587
SHA-256: e392053bc3bf59f1b25834804121027efb3e82f9ad3ccd609363da081da591ac
 
x86_64:
thunderbird-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 9f4bb47d1962e02d27a366c289319484
SHA-256: c755c6feb4db5fca41572b1f8bd947e0f3865aeba7bd11d8c3238684c2690893
thunderbird-debuginfo-17.0.3-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: a59cc6562038075d9586d6efdf2e4094
SHA-256: e61c634194279f6fed6bc4a2274e66ca1b91823f821ec4fcf4006b9cc6e2d330
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

911836 - CVE-2013-0783 Mozilla: Miscellaneous memory safety hazards (rv:17.0.3) (MFSA 2013-21)
911843 - CVE-2013-0775 Mozilla: Use-after-free in nsImageLoadingContent (MFSA 2013-26)
911844 - CVE-2013-0776 Mozilla: Phishing on HTTPS connection through malicious proxy (MFSA 2013-27)
911865 - CVE-2013-0780 CVE-2013-0782 Mozilla: Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer (MFSA 2013-28)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/