Skip to navigation

Security Advisory Important: thunderbird security update

Advisory: RHSA-2013:1269-1
Type: Security Advisory
Severity: Important
Issued on: 2013-09-17
Last updated on: 2013-09-17
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
RHEL Optional Productivity Applications EUS (v. 5.9.z server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-1718
CVE-2013-1722
CVE-2013-1725
CVE-2013-1730
CVE-2013-1732
CVE-2013-1735
CVE-2013-1736
CVE-2013-1737

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-1718,
CVE-2013-1722, CVE-2013-1725, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735,
CVE-2013-1736)

A flaw was found in the way Thunderbird handled certain DOM JavaScript
objects. An attacker could use this flaw to make JavaScript client or
add-on code make incorrect, security sensitive decisions. (CVE-2013-1737)

Red Hat would like to thank the Mozilla project for reporting these
issues. Upstream acknowledges André Bargull, Scoobidiver, Bobby Holley,
Reuben Morais, Abhishek Arya, Ms2ger, Sachin Shinde, Aki Helin, Nils, and
Boris Zbarsky as the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially-crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 17.0.9 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-17.0.9-1.el5_9.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 54df34c5e8dfca6d32b7e7a632a5fd47
SHA-256: 51d2070abd9a7cdd5976f6ea5e3ceb355a8a5f7301cfa586d5b09c07a5af7719
 
IA-32:
thunderbird-17.0.9-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: eda62004dbf55a86ca8357e150574ad3
SHA-256: 8a82445cb0346ae1f35f02d55b24860d3bd1ff9c321278382ab1d225f28b2e44
thunderbird-debuginfo-17.0.9-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 78a83956d8900eb27593c358d9331850
SHA-256: 40e40b3e9d3ac39d9eaeb20aba74515d7a73f4c7919d63349ba7b3ec3daaaffa
 
x86_64:
thunderbird-17.0.9-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: eeec2267b8a7d17692ed6241ab20420d
SHA-256: 4a32b7fdf2714b6de112b78f215427f50ef4a6d194ce6f4e440c377510b99a00
thunderbird-debuginfo-17.0.9-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 785eed58768bb79643502241e0bd4a59
SHA-256: a018e604509747f2a87b87814697e0fb0189b1279b8fcacd38f246c5d0b79ce0
 
RHEL Optional Productivity Applications EUS (v. 5.9.z server)

SRPMS:
thunderbird-17.0.9-1.el5_9.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 54df34c5e8dfca6d32b7e7a632a5fd47
SHA-256: 51d2070abd9a7cdd5976f6ea5e3ceb355a8a5f7301cfa586d5b09c07a5af7719
 
IA-32:
thunderbird-17.0.9-1.el5_9.i386.rpm     MD5: eda62004dbf55a86ca8357e150574ad3
SHA-256: 8a82445cb0346ae1f35f02d55b24860d3bd1ff9c321278382ab1d225f28b2e44
thunderbird-debuginfo-17.0.9-1.el5_9.i386.rpm     MD5: 78a83956d8900eb27593c358d9331850
SHA-256: 40e40b3e9d3ac39d9eaeb20aba74515d7a73f4c7919d63349ba7b3ec3daaaffa
 
x86_64:
thunderbird-17.0.9-1.el5_9.x86_64.rpm     MD5: eeec2267b8a7d17692ed6241ab20420d
SHA-256: 4a32b7fdf2714b6de112b78f215427f50ef4a6d194ce6f4e440c377510b99a00
thunderbird-debuginfo-17.0.9-1.el5_9.x86_64.rpm     MD5: 785eed58768bb79643502241e0bd4a59
SHA-256: a018e604509747f2a87b87814697e0fb0189b1279b8fcacd38f246c5d0b79ce0
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-17.0.9-1.el5_9.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 54df34c5e8dfca6d32b7e7a632a5fd47
SHA-256: 51d2070abd9a7cdd5976f6ea5e3ceb355a8a5f7301cfa586d5b09c07a5af7719
 
IA-32:
thunderbird-17.0.9-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: eda62004dbf55a86ca8357e150574ad3
SHA-256: 8a82445cb0346ae1f35f02d55b24860d3bd1ff9c321278382ab1d225f28b2e44
thunderbird-debuginfo-17.0.9-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 78a83956d8900eb27593c358d9331850
SHA-256: 40e40b3e9d3ac39d9eaeb20aba74515d7a73f4c7919d63349ba7b3ec3daaaffa
 
x86_64:
thunderbird-17.0.9-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: eeec2267b8a7d17692ed6241ab20420d
SHA-256: 4a32b7fdf2714b6de112b78f215427f50ef4a6d194ce6f4e440c377510b99a00
thunderbird-debuginfo-17.0.9-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 785eed58768bb79643502241e0bd4a59
SHA-256: a018e604509747f2a87b87814697e0fb0189b1279b8fcacd38f246c5d0b79ce0
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-17.0.9-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: bad73adedfb92d401f1f396df775133a
SHA-256: bf8e8a68a6ebd38bd17f585a8f86af8372c242314a54be908a6e45a90645b1bc
 
IA-32:
thunderbird-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1981e95dc3fed7c5fa36b5961ca6b4eb
SHA-256: bc93e710819c66a0d7047e7033e882c34d8c8e0f6072329b60746bb94b133130
thunderbird-debuginfo-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7833ce78d6c8c42aa1ee6ddcfa0f7b10
SHA-256: ae02de0202618b762226cb726aad6d7e61b033abb02f13d123990af5f6872fa1
 
x86_64:
thunderbird-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: b2e838ec3f8e1c55af82897f3c5fe94b
SHA-256: d980bc34dc2580483d575fc52dec7f44a4f831cb4240bafd9045df727dfd350c
thunderbird-debuginfo-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: de5b8fb886985fb63b4f3cd80f4f0698
SHA-256: 5c7c8402be4a507e4e4122daeae1b712c5d11ab6f55590a39bf096e00f47a8fc
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-17.0.9-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: bad73adedfb92d401f1f396df775133a
SHA-256: bf8e8a68a6ebd38bd17f585a8f86af8372c242314a54be908a6e45a90645b1bc
 
IA-32:
thunderbird-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1981e95dc3fed7c5fa36b5961ca6b4eb
SHA-256: bc93e710819c66a0d7047e7033e882c34d8c8e0f6072329b60746bb94b133130
thunderbird-debuginfo-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7833ce78d6c8c42aa1ee6ddcfa0f7b10
SHA-256: ae02de0202618b762226cb726aad6d7e61b033abb02f13d123990af5f6872fa1
 
PPC:
thunderbird-17.0.9-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: de7c6c6b3fa1c0bde2d8b1377e575624
SHA-256: 482e3660c878ae06b16b1c3022008232c970915411de87ea70c81f6046cafd71
thunderbird-debuginfo-17.0.9-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 86879c9ba291e3389d430111d4c68a8c
SHA-256: f2781e83fffef81066161e93d66fb47e26d99b7e773f4bd6a0d48f0cc5f0207d
 
s390x:
thunderbird-17.0.9-1.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 459f2f51c532a190153dedbad0f9076d
SHA-256: e69a069f468e1b411e72f1d1e734b048f134a2eb1eb67552dd0aa5a0b886a181
thunderbird-debuginfo-17.0.9-1.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: b73816ecca54f59625d1023a3b467fca
SHA-256: 432765ccf19afceaadf8b20295db7448ddfe9cbcb6a21c4bad373a2126ae12b3
 
x86_64:
thunderbird-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: b2e838ec3f8e1c55af82897f3c5fe94b
SHA-256: d980bc34dc2580483d575fc52dec7f44a4f831cb4240bafd9045df727dfd350c
thunderbird-debuginfo-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: de5b8fb886985fb63b4f3cd80f4f0698
SHA-256: 5c7c8402be4a507e4e4122daeae1b712c5d11ab6f55590a39bf096e00f47a8fc
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
thunderbird-17.0.9-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: bad73adedfb92d401f1f396df775133a
SHA-256: bf8e8a68a6ebd38bd17f585a8f86af8372c242314a54be908a6e45a90645b1bc
 
x86_64:
thunderbird-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: b2e838ec3f8e1c55af82897f3c5fe94b
SHA-256: d980bc34dc2580483d575fc52dec7f44a4f831cb4240bafd9045df727dfd350c
thunderbird-debuginfo-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: de5b8fb886985fb63b4f3cd80f4f0698
SHA-256: 5c7c8402be4a507e4e4122daeae1b712c5d11ab6f55590a39bf096e00f47a8fc
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
thunderbird-17.0.9-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: bad73adedfb92d401f1f396df775133a
SHA-256: bf8e8a68a6ebd38bd17f585a8f86af8372c242314a54be908a6e45a90645b1bc
 
IA-32:
thunderbird-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: 1981e95dc3fed7c5fa36b5961ca6b4eb
SHA-256: bc93e710819c66a0d7047e7033e882c34d8c8e0f6072329b60746bb94b133130
thunderbird-debuginfo-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: 7833ce78d6c8c42aa1ee6ddcfa0f7b10
SHA-256: ae02de0202618b762226cb726aad6d7e61b033abb02f13d123990af5f6872fa1
 
PPC:
thunderbird-17.0.9-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: de7c6c6b3fa1c0bde2d8b1377e575624
SHA-256: 482e3660c878ae06b16b1c3022008232c970915411de87ea70c81f6046cafd71
thunderbird-debuginfo-17.0.9-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 86879c9ba291e3389d430111d4c68a8c
SHA-256: f2781e83fffef81066161e93d66fb47e26d99b7e773f4bd6a0d48f0cc5f0207d
 
s390x:
thunderbird-17.0.9-1.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: 459f2f51c532a190153dedbad0f9076d
SHA-256: e69a069f468e1b411e72f1d1e734b048f134a2eb1eb67552dd0aa5a0b886a181
thunderbird-debuginfo-17.0.9-1.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: b73816ecca54f59625d1023a3b467fca
SHA-256: 432765ccf19afceaadf8b20295db7448ddfe9cbcb6a21c4bad373a2126ae12b3
 
x86_64:
thunderbird-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: b2e838ec3f8e1c55af82897f3c5fe94b
SHA-256: d980bc34dc2580483d575fc52dec7f44a4f831cb4240bafd9045df727dfd350c
thunderbird-debuginfo-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: de5b8fb886985fb63b4f3cd80f4f0698
SHA-256: 5c7c8402be4a507e4e4122daeae1b712c5d11ab6f55590a39bf096e00f47a8fc
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-17.0.9-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: bad73adedfb92d401f1f396df775133a
SHA-256: bf8e8a68a6ebd38bd17f585a8f86af8372c242314a54be908a6e45a90645b1bc
 
IA-32:
thunderbird-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1981e95dc3fed7c5fa36b5961ca6b4eb
SHA-256: bc93e710819c66a0d7047e7033e882c34d8c8e0f6072329b60746bb94b133130
thunderbird-debuginfo-17.0.9-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7833ce78d6c8c42aa1ee6ddcfa0f7b10
SHA-256: ae02de0202618b762226cb726aad6d7e61b033abb02f13d123990af5f6872fa1
 
x86_64:
thunderbird-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: b2e838ec3f8e1c55af82897f3c5fe94b
SHA-256: d980bc34dc2580483d575fc52dec7f44a4f831cb4240bafd9045df727dfd350c
thunderbird-debuginfo-17.0.9-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: de5b8fb886985fb63b4f3cd80f4f0698
SHA-256: 5c7c8402be4a507e4e4122daeae1b712c5d11ab6f55590a39bf096e00f47a8fc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1009031 - CVE-2013-1718 Mozilla: Miscellaneous memory safety hazards (rv:17.0.9) (MFSA 2013-76)
1009032 - CVE-2013-1722 Mozilla: Use-after-free in Animation Manager during stylesheet cloning (MFSA 2013-79)
1009033 - CVE-2013-1725 Mozilla: Calling scope for new Javascript objects can lead to memory corruption (MFSA 2013-82)
1009036 - CVE-2013-1730 Mozilla: Compartment mismatch re-attaching XBL-backed nodes (MFSA 2013-88)
1009037 - CVE-2013-1732 Mozilla: Buffer overflow with multi-column, lists, and floats (MFSA 2013-89)
1009039 - CVE-2013-1735 CVE-2013-1736 Mozilla: Memory corruption involving scrolling (MFSA 2013-90)
1009041 - CVE-2013-1737 Mozilla: User-defined properties on DOM proxies get the wrong "this" object (MFSA 2013-91)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/