Critical CentOS thunderbird Update

Metadata

critical
10.0
thunderbird-10.0.8-1.el5.centos.i386.rpm, thunderbird-10.0.8-1.el5.centos.src.rpm, thunderbird-10.0.8-1.el5.centos.x86_64.rpm, thunderbird-10.0.8-1.el6.centos.i686.rpm, thunderbird-10.0.8-1.el6.centos.src.rpm, thunderbird-10.0.8-1.el6.centos.x86_64.rpm
CVE-2012-1956, CVE-2012-3982, CVE-2012-3986, CVE-2012-3988, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
rhn.redhat.com, lists.centos.org, lists.centos.org
2012-10-10
2017-07-27 19:04
Critical CentOS firefox Update
CVE-2012-4180 icedove
CVE-2012-1956 icedove
CVE-2012-4183 iceweasel
CVE-2012-3992 iceweasel
CVE-2012-3994 iceweasel
CVE-2012-3982 iceweasel
CVE-2012-3988 icedove
CVE-2012-4186 icedove
CVE-2012-4188 icedove
CVE-2012-4186 iceweasel
CVE-2012-1956 iceweasel
CVE-2012-4185 iceweasel
CVE-2012-3991 iceweasel
CVE-2012-3988 iceweasel
CVE-2012-4179 iceweasel
CVE-2012-4185 icedove
CVE-2012-3994 icedove
CVE-2012-4187 iceweasel
CVE-2012-3995 icedove
CVE-2012-3991 icedove
CVE-2012-3990 icedove
CVE-2012-4181 icedove
CVE-2012-3986 icedove
CVE-2012-4182 iceweasel
CVE-2012-4184 icedove
CVE-2012-4183 icedove
CVE-2012-4179 icedove
CVE-2012-3992 icedove
CVE-2012-4188 iceweasel
CVE-2012-3995 iceweasel
CVE-2012-3990 iceweasel
CVE-2012-3986 iceweasel
CVE-2012-4184 iceweasel
CVE-2012-4180 iceweasel
CVE-2012-4181 iceweasel
CVE-2012-3993 iceweasel
CVE-2012-3993 icedove
CVE-2012-3982 icedove
CVE-2012-4182 icedove
CVE-2012-4187 icedove
CVE-2012-3990
CVE-2012-4185
CVE-2012-4186
CVE-2012-3988
CVE-2012-3992
CVE-2012-4181
CVE-2012-4182
CVE-2012-3986
CVE-2012-4184
CVE-2012-4179
CVE-2012-4187
CVE-2012-3982
CVE-2012-4180
CVE-2012-4188
CVE-2012-4183
CVE-2012-3993
CVE-2012-1956
CVE-2012-3994
CVE-2012-3991
CVE-2012-3995
2017-04-01 19:06
2017-01-05 20:10

Description


An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188)

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution.
(CVE-2012-3986, CVE-2012-3991)

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks. (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994)

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code. (CVE-2012-3993, CVE-2012-4184)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili,
miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White,
moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these
issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.8 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
5 thunderbird thunderbird-10.0.8-1.el5.centos.i386.rpm
thunderbird thunderbird-10.0.8-1.el5.centos.src.rpm
thunderbird thunderbird-10.0.8-1.el5.centos.x86_64.rpm
6 thunderbird thunderbird-10.0.8-1.el6.centos.i686.rpm
thunderbird thunderbird-10.0.8-1.el6.centos.src.rpm
thunderbird thunderbird-10.0.8-1.el6.centos.x86_64.rpm