Red Hat Product Errata RHSA-2023:0460 - Security Advisory
Issued:
2023-01-25
Updated:
2023-01-25

RHSA-2023:0460 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

  • Mozilla: libusrsctp library out of date (CVE-2022-46871)
  • Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598)
  • Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605)
  • Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599)
  • Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601)
  • Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602)
  • Mozilla: Fullscreen notification bypass (CVE-2022-46877)
  • Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.4 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64

Fixes

  • BZ - 2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date
  • BZ - 2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux
  • BZ - 2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output
  • BZ - 2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation
  • BZ - 2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
  • BZ - 2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass
  • BZ - 2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
  • BZ - 2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
x86_64
thunderbird-102.7.1-1.el8_4.x86_64.rpm SHA-256: 4079ca1818baea4f80ef78749c05d426fe082692630a532562969aa5ad995f44
thunderbird-debuginfo-102.7.1-1.el8_4.x86_64.rpm SHA-256: d6f986e9d65511686d876d733ac602fdf13bc9a1a10b81799c964ebbab8e10f2
thunderbird-debugsource-102.7.1-1.el8_4.x86_64.rpm SHA-256: 46577247bd205b128ee7a8388366612ef94bfc945c0555617cca3f1b49205707

Red Hat Enterprise Linux Server - AUS 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
x86_64
thunderbird-102.7.1-1.el8_4.x86_64.rpm SHA-256: 4079ca1818baea4f80ef78749c05d426fe082692630a532562969aa5ad995f44
thunderbird-debuginfo-102.7.1-1.el8_4.x86_64.rpm SHA-256: d6f986e9d65511686d876d733ac602fdf13bc9a1a10b81799c964ebbab8e10f2
thunderbird-debugsource-102.7.1-1.el8_4.x86_64.rpm SHA-256: 46577247bd205b128ee7a8388366612ef94bfc945c0555617cca3f1b49205707

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
s390x
thunderbird-102.7.1-1.el8_4.s390x.rpm SHA-256: cae2e62d8cd7505731621ae03d1d0bff398c28e757bbcd5a7420b1d321a0bcec
thunderbird-debuginfo-102.7.1-1.el8_4.s390x.rpm SHA-256: 0139c90ab14467328faa60df9c3821b06c529453814b5616e876f615c87bb45d
thunderbird-debugsource-102.7.1-1.el8_4.s390x.rpm SHA-256: 519ecbf81d3ab68e0953b45192bb4181be4600778505f25306aa3b98ecfd51d2

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
ppc64le
thunderbird-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 1f21c536f7921c5371750bc2b211953fec7ecdf1b2995eb2a11565b1f2cc863a
thunderbird-debuginfo-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 9fc2ac75ac4ddb6786b8a364545999b3d43572065f5409a81e8ab7668000413b
thunderbird-debugsource-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 6ca0cc955769195411a15e55d5ae3b22cf15b3ba55b84d40cfcdcf6cddb63b8c

Red Hat Enterprise Linux Server - TUS 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
x86_64
thunderbird-102.7.1-1.el8_4.x86_64.rpm SHA-256: 4079ca1818baea4f80ef78749c05d426fe082692630a532562969aa5ad995f44
thunderbird-debuginfo-102.7.1-1.el8_4.x86_64.rpm SHA-256: d6f986e9d65511686d876d733ac602fdf13bc9a1a10b81799c964ebbab8e10f2
thunderbird-debugsource-102.7.1-1.el8_4.x86_64.rpm SHA-256: 46577247bd205b128ee7a8388366612ef94bfc945c0555617cca3f1b49205707

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
aarch64
thunderbird-102.7.1-1.el8_4.aarch64.rpm SHA-256: 3c97efa8d02abcde798cf89d8ff042e817f64141550b84f4683e52d45a67bda1
thunderbird-debuginfo-102.7.1-1.el8_4.aarch64.rpm SHA-256: 3c4ac3536af6a1211e9e62ad4da88471c9f7f7e126aff6948d6661a16447bd42
thunderbird-debugsource-102.7.1-1.el8_4.aarch64.rpm SHA-256: 5064ab0bab485dee346c89d09aa531a0e130c0cceb76dcd944ce898598c376c3

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
ppc64le
thunderbird-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 1f21c536f7921c5371750bc2b211953fec7ecdf1b2995eb2a11565b1f2cc863a
thunderbird-debuginfo-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 9fc2ac75ac4ddb6786b8a364545999b3d43572065f5409a81e8ab7668000413b
thunderbird-debugsource-102.7.1-1.el8_4.ppc64le.rpm SHA-256: 6ca0cc955769195411a15e55d5ae3b22cf15b3ba55b84d40cfcdcf6cddb63b8c

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4

SRPM
thunderbird-102.7.1-1.el8_4.src.rpm SHA-256: 773b2e7a987258a1d3fa70617f9781fbb748cf0f6f490b1a80f0c0ea8d018df9
x86_64
thunderbird-102.7.1-1.el8_4.x86_64.rpm SHA-256: 4079ca1818baea4f80ef78749c05d426fe082692630a532562969aa5ad995f44
thunderbird-debuginfo-102.7.1-1.el8_4.x86_64.rpm SHA-256: d6f986e9d65511686d876d733ac602fdf13bc9a1a10b81799c964ebbab8e10f2
thunderbird-debugsource-102.7.1-1.el8_4.x86_64.rpm SHA-256: 46577247bd205b128ee7a8388366612ef94bfc945c0555617cca3f1b49205707

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.