Security Advisory Moderate: thunderbird security update

Advisory: RHSA-2008:0224-2
Type: Security Advisory
Severity: Moderate
Issued on: 2008-04-30
Last updated on: 2008-04-30
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080224.xml
CVEs (cve.mitre.org): CVE-2008-1380

Details

Updated thunderbird packages that fix a security issue are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

A flaw was found in the processing of malformed JavaScript content. An HTML
mail message containing such malicious content could cause Thunderbird to
crash or, potentially, execute arbitrary code as the user running
Thunderbird. (CVE-2008-1380)

Note: JavaScript support is disabled by default in Thunderbird; the above
issue is not exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to these updated packages, which
contain backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Optional Productivity Applications (v. 5 server)
SRPMS:
thunderbird-1.5.0.12-12.el5_1.src.rpm
File outdated by:  RHSA-2008:0908		     60b34359e96abea351e0adf783a92aed
 
IA-32:
thunderbird-1.5.0.12-12.el5_1.i386.rpm
File outdated by:  RHSA-2008:0908		     68a7a5464295946e37880b0f9a9709bd
 
x86_64:
thunderbird-1.5.0.12-12.el5_1.x86_64.rpm
File outdated by:  RHSA-2008:0908		     83839de4dd37a8790b1db5d30e8dc597
 
Red Hat Desktop (v. 4)
SRPMS:
thunderbird-1.5.0.12-11.el4.src.rpm
File outdated by:  RHSA-2008:0908		     afcf0af22a1973d1bbed3867ee668145
 
IA-32:
thunderbird-1.5.0.12-11.el4.i386.rpm
File outdated by:  RHSA-2008:0908		     a8fc290e5cdaa2da01150e60486e643f
 
x86_64:
thunderbird-1.5.0.12-11.el4.x86_64.rpm
File outdated by:  RHSA-2008:0908		     edd3c9fa6893fade362ab2eaca363fe8
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
thunderbird-1.5.0.12-11.el4.src.rpm
File outdated by:  RHSA-2008:0908		     afcf0af22a1973d1bbed3867ee668145
 
IA-32:
thunderbird-1.5.0.12-11.el4.i386.rpm
File outdated by:  RHSA-2008:0908		     a8fc290e5cdaa2da01150e60486e643f
 
IA-64:
thunderbird-1.5.0.12-11.el4.ia64.rpm
File outdated by:  RHSA-2008:0908		     fdcac4f17d8ce62a6ede71f9b72de4a5
 
PPC:
thunderbird-1.5.0.12-11.el4.ppc.rpm
File outdated by:  RHSA-2008:0908		     e0855b1f5d40ff9a90124f1fb40791c2
 
s390:
thunderbird-1.5.0.12-11.el4.s390.rpm
File outdated by:  RHSA-2008:0908		     9553a55d9cb4f17cd345af6580b66c47
 
s390x:
thunderbird-1.5.0.12-11.el4.s390x.rpm
File outdated by:  RHSA-2008:0908		     79f37c9bcd4bf43aa16adfc12d16c3ad
 
x86_64:
thunderbird-1.5.0.12-11.el4.x86_64.rpm
File outdated by:  RHSA-2008:0908		     edd3c9fa6893fade362ab2eaca363fe8
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
thunderbird-1.5.0.12-12.el5_1.src.rpm
File outdated by:  RHSA-2008:0908		     60b34359e96abea351e0adf783a92aed
 
IA-32:
thunderbird-1.5.0.12-12.el5_1.i386.rpm
File outdated by:  RHSA-2008:0908		     68a7a5464295946e37880b0f9a9709bd
 
x86_64:
thunderbird-1.5.0.12-12.el5_1.x86_64.rpm
File outdated by:  RHSA-2008:0908		     83839de4dd37a8790b1db5d30e8dc597
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
thunderbird-1.5.0.12-11.el4.src.rpm
File outdated by:  RHSA-2008:0908		     afcf0af22a1973d1bbed3867ee668145
 
IA-32:
thunderbird-1.5.0.12-11.el4.i386.rpm
File outdated by:  RHSA-2008:0908		     a8fc290e5cdaa2da01150e60486e643f
 
IA-64:
thunderbird-1.5.0.12-11.el4.ia64.rpm
File outdated by:  RHSA-2008:0908		     fdcac4f17d8ce62a6ede71f9b72de4a5
 
x86_64:
thunderbird-1.5.0.12-11.el4.x86_64.rpm
File outdated by:  RHSA-2008:0908		     edd3c9fa6893fade362ab2eaca363fe8
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
thunderbird-1.5.0.12-11.el4.src.rpm
File outdated by:  RHSA-2008:0908		     afcf0af22a1973d1bbed3867ee668145
 
IA-32:
thunderbird-1.5.0.12-11.el4.i386.rpm
File outdated by:  RHSA-2008:0908		     a8fc290e5cdaa2da01150e60486e643f
 
IA-64:
thunderbird-1.5.0.12-11.el4.ia64.rpm
File outdated by:  RHSA-2008:0908		     fdcac4f17d8ce62a6ede71f9b72de4a5
 
x86_64:
thunderbird-1.5.0.12-11.el4.x86_64.rpm
File outdated by:  RHSA-2008:0908		     edd3c9fa6893fade362ab2eaca363fe8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

440518 - CVE-2008-1380 Firefox JavaScript garbage collection crash


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/