Red Hat Product Errata RHSA-2024:0004 - Security Advisory
Issued:
2024-01-02
Updated:
2024-01-02

RHSA-2024:0004 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

  • Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)
  • Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)
  • Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)
  • Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)
  • Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)
  • Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)
  • Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)
  • Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)
  • Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)
  • Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)
  • Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.8 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

  • BZ - 2255360 - CVE-2023-6856 Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver
  • BZ - 2255362 - CVE-2023-6857 Mozilla: Symlinks may resolve to smaller than expected buffers
  • BZ - 2255363 - CVE-2023-6858 Mozilla: Heap buffer overflow in <code>nsTextFragment</code>
  • BZ - 2255364 - CVE-2023-6859 Mozilla: Use-after-free in PR_GetIdentitiesLayer
  • BZ - 2255365 - CVE-2023-6860 Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation
  • BZ - 2255367 - CVE-2023-6861 Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode
  • BZ - 2255368 - CVE-2023-6862 Mozilla: Use-after-free in <code>nsDNSService</code>
  • BZ - 2255369 - CVE-2023-6863 Mozilla: Undefined behavior in <code>ShutdownObserver()</code>
  • BZ - 2255370 - CVE-2023-6864 Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6
  • BZ - 2255378 - CVE-2023-50761 Mozilla: S/MIME signature accepted despite mismatching message date
  • BZ - 2255379 - CVE-2023-50762 Mozilla: Truncated signed text was shown with a valid OpenPGP signature

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
x86_64
thunderbird-115.6.0-1.el8_8.x86_64.rpm SHA-256: 2689a7dc2aeead2066421259b844348b11826aecb7b63aebac1cd6b2448c9d25
thunderbird-debuginfo-115.6.0-1.el8_8.x86_64.rpm SHA-256: 3c1b46c80bc6659fc96e40e8a64fda1af48e775d793c2b1a1a840c7e6c0818b0
thunderbird-debugsource-115.6.0-1.el8_8.x86_64.rpm SHA-256: 4353b62618854e0cc427167a6a5de920657f4556ff4ced04e72d3a6a102648dc

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
s390x
thunderbird-115.6.0-1.el8_8.s390x.rpm SHA-256: e3e59742f428906a27485a0a825f91470f857d39fa10c80f86891f25938d3e71
thunderbird-debuginfo-115.6.0-1.el8_8.s390x.rpm SHA-256: c5fffc2c7257e93a2048ffa38c5cf13b5529901936c5fe22c533378111a11e6a
thunderbird-debugsource-115.6.0-1.el8_8.s390x.rpm SHA-256: 61a123d254faeb25dedc2b41defda988b6876864408183f39025110fb308154f

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
ppc64le
thunderbird-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 36ddb0d4a634c73095ea5943d4c08e521a211f8a17ea85b54462396ffacacd26
thunderbird-debuginfo-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 74a04190aab2c7481a6fc4c4a943be564ac7ee27fe237090ba470061deb3c985
thunderbird-debugsource-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 179947f417ce3f71e7e7efa3ce2c313bef0b8a62fe414d9b4af33446c65c5a9d

Red Hat Enterprise Linux Server - TUS 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
x86_64
thunderbird-115.6.0-1.el8_8.x86_64.rpm SHA-256: 2689a7dc2aeead2066421259b844348b11826aecb7b63aebac1cd6b2448c9d25
thunderbird-debuginfo-115.6.0-1.el8_8.x86_64.rpm SHA-256: 3c1b46c80bc6659fc96e40e8a64fda1af48e775d793c2b1a1a840c7e6c0818b0
thunderbird-debugsource-115.6.0-1.el8_8.x86_64.rpm SHA-256: 4353b62618854e0cc427167a6a5de920657f4556ff4ced04e72d3a6a102648dc

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
aarch64
thunderbird-115.6.0-1.el8_8.aarch64.rpm SHA-256: 564557764ba676ef4f5c7682938fd4bf58096c12e90c545fa6f4e03305d2b361
thunderbird-debuginfo-115.6.0-1.el8_8.aarch64.rpm SHA-256: ad191219d3c0da7c48eabd9f9c657d65550291b9fb8e456f7c4729d833bdeb68
thunderbird-debugsource-115.6.0-1.el8_8.aarch64.rpm SHA-256: 0109624b1c25f0d4cb82d906c8bf10a5e39baa52916bbc1b070b761d570b20ec

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
ppc64le
thunderbird-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 36ddb0d4a634c73095ea5943d4c08e521a211f8a17ea85b54462396ffacacd26
thunderbird-debuginfo-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 74a04190aab2c7481a6fc4c4a943be564ac7ee27fe237090ba470061deb3c985
thunderbird-debugsource-115.6.0-1.el8_8.ppc64le.rpm SHA-256: 179947f417ce3f71e7e7efa3ce2c313bef0b8a62fe414d9b4af33446c65c5a9d

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM
thunderbird-115.6.0-1.el8_8.src.rpm SHA-256: eebc5ccec2be87e4c97268a69d2f39e4980854359f31bc9aa002e9e3e2bbe5d5
x86_64
thunderbird-115.6.0-1.el8_8.x86_64.rpm SHA-256: 2689a7dc2aeead2066421259b844348b11826aecb7b63aebac1cd6b2448c9d25
thunderbird-debuginfo-115.6.0-1.el8_8.x86_64.rpm SHA-256: 3c1b46c80bc6659fc96e40e8a64fda1af48e775d793c2b1a1a840c7e6c0818b0
thunderbird-debugsource-115.6.0-1.el8_8.x86_64.rpm SHA-256: 4353b62618854e0cc427167a6a5de920657f4556ff4ced04e72d3a6a102648dc

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.