-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2023:1805-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:1805 Issue date: 2023-04-17 CVE Names: CVE-2023-0547 CVE-2023-1945 CVE-2023-28427 CVE-2023-29479 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.10.0. Security Fix(es): * Thunderbird: Revocation status of S/Mime recipient certificates was not checked (CVE-2023-0547) * Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack (CVE-2023-28427) * Mozilla: Fullscreen notification obscured (CVE-2023-29533) * Mozilla: Potential Memory Corruption following Garbage Collector compaction (CVE-2023-29535) * Mozilla: Invalid free from JavaScript code (CVE-2023-29536) * Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 (CVE-2023-29550) * Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945) * Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479) * Mozilla: Content-Disposition filename truncation leads to Reflected File Download (CVE-2023-29539) * Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux (CVE-2023-29541) * Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548) * MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp (BZ#2186102) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2183278 - CVE-2023-28427 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack 2186101 - CVE-2023-29533 Mozilla: Fullscreen notification obscured 2186102 - MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp 2186103 - CVE-2023-29535 Mozilla: Potential Memory Corruption following Garbage Collector compaction 2186104 - CVE-2023-29536 Mozilla: Invalid free from JavaScript code 2186105 - CVE-2023-29539 Mozilla: Content-Disposition filename truncation leads to Reflected File Download 2186106 - CVE-2023-29541 Mozilla: Files with malicious extensions could have been downloaded unsafely on Linux 2186109 - CVE-2023-1945 Mozilla: Memory Corruption in Safe Browsing Code 2186110 - CVE-2023-29548 Mozilla: Incorrect optimization result on ARM64 2186111 - CVE-2023-29550 Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 2186734 - CVE-2023-0547 Thunderbird: Revocation status of S/Mime recipient certificates was not checked 2186735 - CVE-2023-29479 Thunderbird: Hang when processing certain OpenPGP messages 6. Package List: Red Hat Enterprise Linux AppStream AUS (v. 8.2): Source: thunderbird-102.10.0-2.el8_2.src.rpm aarch64: thunderbird-102.10.0-2.el8_2.aarch64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.aarch64.rpm thunderbird-debugsource-102.10.0-2.el8_2.aarch64.rpm ppc64le: thunderbird-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debuginfo-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debugsource-102.10.0-2.el8_2.ppc64le.rpm x86_64: thunderbird-102.10.0-2.el8_2.x86_64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.x86_64.rpm thunderbird-debugsource-102.10.0-2.el8_2.x86_64.rpm Red Hat Enterprise Linux AppStream E4S (v. 8.2): Source: thunderbird-102.10.0-2.el8_2.src.rpm aarch64: thunderbird-102.10.0-2.el8_2.aarch64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.aarch64.rpm thunderbird-debugsource-102.10.0-2.el8_2.aarch64.rpm ppc64le: thunderbird-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debuginfo-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debugsource-102.10.0-2.el8_2.ppc64le.rpm x86_64: thunderbird-102.10.0-2.el8_2.x86_64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.x86_64.rpm thunderbird-debugsource-102.10.0-2.el8_2.x86_64.rpm Red Hat Enterprise Linux AppStream TUS (v. 8.2): Source: thunderbird-102.10.0-2.el8_2.src.rpm aarch64: thunderbird-102.10.0-2.el8_2.aarch64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.aarch64.rpm thunderbird-debugsource-102.10.0-2.el8_2.aarch64.rpm ppc64le: thunderbird-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debuginfo-102.10.0-2.el8_2.ppc64le.rpm thunderbird-debugsource-102.10.0-2.el8_2.ppc64le.rpm x86_64: thunderbird-102.10.0-2.el8_2.x86_64.rpm thunderbird-debuginfo-102.10.0-2.el8_2.x86_64.rpm thunderbird-debugsource-102.10.0-2.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2023-0547 https://access.redhat.com/security/cve/CVE-2023-1945 https://access.redhat.com/security/cve/CVE-2023-28427 https://access.redhat.com/security/cve/CVE-2023-29479 https://access.redhat.com/security/cve/CVE-2023-29533 https://access.redhat.com/security/cve/CVE-2023-29535 https://access.redhat.com/security/cve/CVE-2023-29536 https://access.redhat.com/security/cve/CVE-2023-29539 https://access.redhat.com/security/cve/CVE-2023-29541 https://access.redhat.com/security/cve/CVE-2023-29548 https://access.redhat.com/security/cve/CVE-2023-29550 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZD10etzjgjWX9erEAQgiexAAi0gjrSD6gHpYVamfsetNsBvwiSwK4c8j XOLykTM60aNTW2GY/MZPAQ0qKi3hpcIuMeusx0qLwu93CkgFnSAKla/BITIZGExw FIcDuNmjSjupXrpgFnOLB4mdWE9IaVf9VjFyixBh5nFWMaI5VQzCRi/RtQVqNJdy ZPhL4H12Pc8Nfv/YfidYi3X+VTsoJGzOtxIfjJkP/19IZji2anWeMM71KqI77ktU JuT15BWxOsleI8kYqZKzC4q4b9DbeAKVG3Pu5yrEnycH27+yjfP+Um08W2nXzh3p PmsD/blrES7H+Qsg1y4MdcVJyfISx7tAkQBBInp4xtLN1nRTNRFZalv8AtwM/seM e+7jBxs96XZ+2boUpsT8C9nMdh+u5kxMODVTRUPwERF+bdl23/agPMBAEjAwYr47 G4AOfk4GVfSJZCTg7HDSLiR1nAtnOnES7uYszuIYh4865WFspzxT/8wriyrooiED 8h15uzVPlc+XJJdMzo1Y6UR2YnepyQCgzvyxRHpJZ4QidTX1mAOkCMtkcwP7vtbZ 3lPTLMc7So4TBinHZTjVC5bpYAvA5esx8QTLQLkp+QVF9BgduYYLEP56jAGcfkcv yZ/xsewmJCdrrmdNXKeNYu5/3D3X99vlmLsjd18GO/OmL75rUNwvqeHLMVzcSafV TEpNZnGVKGI= =Ue/5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce