Security Advisory Important: thunderbird security update

Advisory: RHSA-2014:0918-1
Type: Security Advisory
Severity: Important
Issued on: 2014-07-22
Last updated on: 2014-07-22
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.5)
Red Hat Enterprise Linux Server EUS (v. 6.5.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2014-1547
CVE-2014-1555
CVE-2014-1556
CVE-2014-1557

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, David Keeler, Byron Campen, Jethro
Beekman, Patrick Cozzi, and Mozilla community member John as the original
reporters of these issues.

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 24.7.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 24.7.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-24.7.0-1.el5_10.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: 1e5296d814672dc022fe6346e44df13c
SHA-256: d596f01ef53976859159eccd8677e03d267f678c978d982eaab3ca5d602bbca5
 
IA-32:
thunderbird-24.7.0-1.el5_10.i386.rpm
File outdated by:  RHSA-2015:0771
    MD5: aa0c44e9fa89f8d853ac330fe0be048b
SHA-256: 88dc2aee5a2d594b2efa012652b0e7bd68176d0044c80dc796ea974bc5b42336
thunderbird-debuginfo-24.7.0-1.el5_10.i386.rpm
File outdated by:  RHSA-2015:0771
    MD5: 943f29d77ce607eef728f0dedb57f0ae
SHA-256: df9034825e8cfe6f5ea1761ebee19de2b29defe39459f551d97fe401ebb52b0e
 
x86_64:
thunderbird-24.7.0-1.el5_10.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: a04d72e22350cfa0f9e86260b8dd6555
SHA-256: 678991e540cb0dba8291e6c0e9f42decf5270dbba891e2ebe79b61a114885ca8
thunderbird-debuginfo-24.7.0-1.el5_10.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 6d667cc70774991e1428b440dd3ffadd
SHA-256: 75b1065a2530e100649928000d4381428468f9ff6a8953650ce1716fba0b3fd0
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-24.7.0-1.el5_10.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: 1e5296d814672dc022fe6346e44df13c
SHA-256: d596f01ef53976859159eccd8677e03d267f678c978d982eaab3ca5d602bbca5
 
IA-32:
thunderbird-24.7.0-1.el5_10.i386.rpm
File outdated by:  RHSA-2015:0771
    MD5: aa0c44e9fa89f8d853ac330fe0be048b
SHA-256: 88dc2aee5a2d594b2efa012652b0e7bd68176d0044c80dc796ea974bc5b42336
thunderbird-debuginfo-24.7.0-1.el5_10.i386.rpm
File outdated by:  RHSA-2015:0771
    MD5: 943f29d77ce607eef728f0dedb57f0ae
SHA-256: df9034825e8cfe6f5ea1761ebee19de2b29defe39459f551d97fe401ebb52b0e
 
x86_64:
thunderbird-24.7.0-1.el5_10.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: a04d72e22350cfa0f9e86260b8dd6555
SHA-256: 678991e540cb0dba8291e6c0e9f42decf5270dbba891e2ebe79b61a114885ca8
thunderbird-debuginfo-24.7.0-1.el5_10.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 6d667cc70774991e1428b440dd3ffadd
SHA-256: 75b1065a2530e100649928000d4381428468f9ff6a8953650ce1716fba0b3fd0
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-24.7.0-1.el6_5.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: d8b2d28f3562820bc714b47d5327a8c9
SHA-256: 654e6905ff622f092ce1e94f6d3e9bf2a7c906cf9b0b94acc21299a6c32b915d
 
IA-32:
thunderbird-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 7a9ecc1eaa320852a3c08f48d64f767d
SHA-256: 450bef25efa9786f09ac8c6a721a7399f561ffbc0d6da7b648a4b0ba6c37f82c
thunderbird-debuginfo-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 0a02942c22154acb1e9d91d9a24e4cbc
SHA-256: faf4d65fbfb95cd796e71e3d74172d0afe55bb33953b98584f2255a81c9c09b9
 
x86_64:
thunderbird-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 3d53c1e064aac70998ff0855f7a77161
SHA-256: 457140ccf312a25ca7b3577c62ae16e8ecf21dac3c99390d11d8076dfcb65a54
thunderbird-debuginfo-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: c3f5ce987470e7359ac7d043ccb52aaf
SHA-256: 0606108a0346ad0de3cec6962b005f76883da7e7a3dd04c4b821d948cb2b42bd
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-24.7.0-1.el6_5.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: d8b2d28f3562820bc714b47d5327a8c9
SHA-256: 654e6905ff622f092ce1e94f6d3e9bf2a7c906cf9b0b94acc21299a6c32b915d
 
IA-32:
thunderbird-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 7a9ecc1eaa320852a3c08f48d64f767d
SHA-256: 450bef25efa9786f09ac8c6a721a7399f561ffbc0d6da7b648a4b0ba6c37f82c
thunderbird-debuginfo-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 0a02942c22154acb1e9d91d9a24e4cbc
SHA-256: faf4d65fbfb95cd796e71e3d74172d0afe55bb33953b98584f2255a81c9c09b9
 
PPC:
thunderbird-24.7.0-1.el6_5.ppc64.rpm
File outdated by:  RHSA-2015:0771
    MD5: e9f101785b41ea3a5bd0d5111d217191
SHA-256: 49864869da3b0c925ea2dab014ef59225cec8d0b25845cdb1486cf94f4e5e80b
thunderbird-debuginfo-24.7.0-1.el6_5.ppc64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 4cfc52968f0b35232bdc312810bdf52a
SHA-256: 8d5c43a3530734521c5125136e15ecfa029b3ba1aac5f096150f559789067049
 
s390x:
thunderbird-24.7.0-1.el6_5.s390x.rpm
File outdated by:  RHSA-2015:0771
    MD5: 0c1f890695a855c275bbaac3042f0daf
SHA-256: e4d6199d126ec4d6388fb4bfbf15ae11bab6ca5f99da5a9d2447d625102755f9
thunderbird-debuginfo-24.7.0-1.el6_5.s390x.rpm
File outdated by:  RHSA-2015:0771
    MD5: 0ef731caedc69d30f46da52b31871bce
SHA-256: 665244d6235280b753ca002a5b00eba4cacd87483ca4975ddafd258d537a42cc
 
x86_64:
thunderbird-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 3d53c1e064aac70998ff0855f7a77161
SHA-256: 457140ccf312a25ca7b3577c62ae16e8ecf21dac3c99390d11d8076dfcb65a54
thunderbird-debuginfo-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: c3f5ce987470e7359ac7d043ccb52aaf
SHA-256: 0606108a0346ad0de3cec6962b005f76883da7e7a3dd04c4b821d948cb2b42bd
 
Red Hat Enterprise Linux Server AUS (v. 6.5)

SRPMS:
thunderbird-24.7.0-1.el6_5.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: d8b2d28f3562820bc714b47d5327a8c9
SHA-256: 654e6905ff622f092ce1e94f6d3e9bf2a7c906cf9b0b94acc21299a6c32b915d
 
x86_64:
thunderbird-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:1145
    MD5: 3d53c1e064aac70998ff0855f7a77161
SHA-256: 457140ccf312a25ca7b3577c62ae16e8ecf21dac3c99390d11d8076dfcb65a54
thunderbird-debuginfo-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:1145
    MD5: c3f5ce987470e7359ac7d043ccb52aaf
SHA-256: 0606108a0346ad0de3cec6962b005f76883da7e7a3dd04c4b821d948cb2b42bd
 
Red Hat Enterprise Linux Server EUS (v. 6.5.z)

SRPMS:
thunderbird-24.7.0-1.el6_5.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: d8b2d28f3562820bc714b47d5327a8c9
SHA-256: 654e6905ff622f092ce1e94f6d3e9bf2a7c906cf9b0b94acc21299a6c32b915d
 
IA-32:
thunderbird-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2014:1145
    MD5: 7a9ecc1eaa320852a3c08f48d64f767d
SHA-256: 450bef25efa9786f09ac8c6a721a7399f561ffbc0d6da7b648a4b0ba6c37f82c
thunderbird-debuginfo-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2014:1145
    MD5: 0a02942c22154acb1e9d91d9a24e4cbc
SHA-256: faf4d65fbfb95cd796e71e3d74172d0afe55bb33953b98584f2255a81c9c09b9
 
PPC:
thunderbird-24.7.0-1.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:1145
    MD5: e9f101785b41ea3a5bd0d5111d217191
SHA-256: 49864869da3b0c925ea2dab014ef59225cec8d0b25845cdb1486cf94f4e5e80b
thunderbird-debuginfo-24.7.0-1.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:1145
    MD5: 4cfc52968f0b35232bdc312810bdf52a
SHA-256: 8d5c43a3530734521c5125136e15ecfa029b3ba1aac5f096150f559789067049
 
s390x:
thunderbird-24.7.0-1.el6_5.s390x.rpm
File outdated by:  RHSA-2014:1145
    MD5: 0c1f890695a855c275bbaac3042f0daf
SHA-256: e4d6199d126ec4d6388fb4bfbf15ae11bab6ca5f99da5a9d2447d625102755f9
thunderbird-debuginfo-24.7.0-1.el6_5.s390x.rpm
File outdated by:  RHSA-2014:1145
    MD5: 0ef731caedc69d30f46da52b31871bce
SHA-256: 665244d6235280b753ca002a5b00eba4cacd87483ca4975ddafd258d537a42cc
 
x86_64:
thunderbird-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:1145
    MD5: 3d53c1e064aac70998ff0855f7a77161
SHA-256: 457140ccf312a25ca7b3577c62ae16e8ecf21dac3c99390d11d8076dfcb65a54
thunderbird-debuginfo-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:1145
    MD5: c3f5ce987470e7359ac7d043ccb52aaf
SHA-256: 0606108a0346ad0de3cec6962b005f76883da7e7a3dd04c4b821d948cb2b42bd
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-24.7.0-1.el6_5.src.rpm
File outdated by:  RHSA-2015:0771
    MD5: d8b2d28f3562820bc714b47d5327a8c9
SHA-256: 654e6905ff622f092ce1e94f6d3e9bf2a7c906cf9b0b94acc21299a6c32b915d
 
IA-32:
thunderbird-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 7a9ecc1eaa320852a3c08f48d64f767d
SHA-256: 450bef25efa9786f09ac8c6a721a7399f561ffbc0d6da7b648a4b0ba6c37f82c
thunderbird-debuginfo-24.7.0-1.el6_5.i686.rpm
File outdated by:  RHSA-2015:0771
    MD5: 0a02942c22154acb1e9d91d9a24e4cbc
SHA-256: faf4d65fbfb95cd796e71e3d74172d0afe55bb33953b98584f2255a81c9c09b9
 
x86_64:
thunderbird-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: 3d53c1e064aac70998ff0855f7a77161
SHA-256: 457140ccf312a25ca7b3577c62ae16e8ecf21dac3c99390d11d8076dfcb65a54
thunderbird-debuginfo-24.7.0-1.el6_5.x86_64.rpm
File outdated by:  RHSA-2015:0771
    MD5: c3f5ce987470e7359ac7d043ccb52aaf
SHA-256: 0606108a0346ad0de3cec6962b005f76883da7e7a3dd04c4b821d948cb2b42bd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1121464 - CVE-2014-1547 Mozilla: Miscellaneous memory safety hazards (rv:24.7) (MFSA 2014-56)
1121476 - CVE-2014-1555 Mozilla: Use-after-free with FireOnStateChange event (MFSA 2014-61)
1121478 - CVE-2014-1556 Mozilla: Exploitable WebGL crash with Cesium JavaScript library (MFSA 2014-62)
1121479 - CVE-2014-1557 Mozilla: Crash in Skia library when scaling high quality images (MFSA 2014-64)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/