Synopsis
Important: thunderbird security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for thunderbird is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 60.8.0.
Security Fix(es):
- Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 (CVE-2019-11709)
- Mozilla: Sandbox escape via installation of malicious language pack (CVE-2019-9811)
- Mozilla: Script injection within domain through inner window reuse (CVE-2019-11711)
- Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (CVE-2019-11712)
- Mozilla: Use-after-free with HTTP/2 cached stream (CVE-2019-11713)
- Mozilla: HTML parsing error can contribute to content XSS (CVE-2019-11715)
- Mozilla: Caret character improperly escaped in origins (CVE-2019-11717)
- Mozilla: Same-origin policy treats all files in a directory as having the same-origin (CVE-2019-11730)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Thunderbird fails to authenticate with gmail with ssl/tls and OAuth4 (BZ#1725919)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to take effect.
Affected Products
-
Red Hat Enterprise Linux for x86_64 8 x86_64
-
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Fixes
- BZ - 1725919 - Thunderbird fails to authenticate with gmail with ssl/tls and OAuth4
- BZ - 1728430 - CVE-2019-11709 Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
- BZ - 1728431 - CVE-2019-11711 Mozilla: Script injection within domain through inner window reuse
- BZ - 1728432 - CVE-2019-11712 Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
- BZ - 1728433 - CVE-2019-11713 Mozilla: Use-after-free with HTTP/2 cached stream
- BZ - 1728434 - CVE-2019-11715 Mozilla: HTML parsing error can contribute to content XSS
- BZ - 1728435 - CVE-2019-11717 Mozilla: Caret character improperly escaped in origins
- BZ - 1728438 - CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
- BZ - 1728439 - CVE-2019-9811 Mozilla: Sandbox escape via installation of malicious language pack
CVEs
References