Important CentOS thunderbird Security Update

Metadata

critical
9.3
thunderbird-38.7.0-1.el5.centos.i386.rpm, thunderbird-38.7.0-1.el5.centos.src.rpm, thunderbird-38.7.0-1.el5.centos.x86_64.rpm, thunderbird-38.7.0-1.el6.centos.i686.rpm, thunderbird-38.7.0-1.el6.centos.src.rpm, thunderbird-38.7.0-1.el6.centos.x86_64.rpm, thunderbird-38.7.0-1.el7.centos.src.rpm, thunderbird-38.7.0-1.el7.centos.x86_64.rpm
CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960, CVE-2016-1961, CVE-2016-1964, CVE-2016-1966, CVE-2016-1974, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802
rhn.redhat.com, lists.centos.org, lists.centos.org, lists.centos.org
2016-03-16
2017-07-27 19:10
Critical CentOS firefox Security Update
CVE-2016-1977 firefox-esr
CVE-2016-1960 firefox-esr
CVE-2016-1961 firefox-esr
CVE-2016-1966 firefox-esr
CVE-2016-2799 firefox-esr
CVE-2016-2792 firefox-esr
CVE-2016-2793 firefox-esr
CVE-2016-2801 firefox-esr
CVE-2016-2802 firefox-esr
CVE-2016-2800 icedove
CVE-2016-2797 icedove
CVE-2016-2791 firefox
CVE-2016-2794 firefox
CVE-2016-2798 firefox
CVE-2016-2791 iceweasel
CVE-2016-2797 firefox-esr
CVE-2016-1964 firefox-esr
CVE-2016-1974 firefox-esr
CVE-2016-2790 firefox-esr
CVE-2016-2798 firefox-esr
CVE-2016-2791 firefox-esr
CVE-2016-2794 icedove
CVE-2016-2799 icedove
CVE-2016-2798 iceweasel
CVE-2016-1952 firefox
CVE-2016-2798 icedove
CVE-2016-1961 icedove
CVE-2016-1966 icedove
CVE-2016-2795 icedove
CVE-2016-1964 iceweasel
CVE-2016-1960 iceweasel
CVE-2016-1954 iceweasel
CVE-2016-1957 icedove
CVE-2016-1961 iceweasel
CVE-2016-2801 firefox
CVE-2016-2802 iceweasel
CVE-2016-2793 iceweasel
CVE-2016-1952 firefox-esr
CVE-2016-1960 firefox
CVE-2016-2799 firefox
CVE-2016-2800 graphite2
CVE-2016-2801 icedove
CVE-2016-2802 icedove
CVE-2016-2796 icedove
CVE-2016-2791 icedove
CVE-2016-2792 icedove
CVE-2016-1954 icedove
CVE-2016-2790 icedove
CVE-2016-2800 iceweasel
CVE-2016-2801 iceweasel
CVE-2016-2796 iceweasel
CVE-2016-2799 iceweasel
CVE-2016-1952 iceweasel
CVE-2016-1954 firefox-esr
CVE-2016-1974 iceweasel
CVE-2016-2792 graphite2
CVE-2016-2790 firefox
CVE-2016-2797 firefox
CVE-2016-2790 iceweasel
CVE-2016-2801 graphite2
CVE-2016-1974 icedove
CVE-2016-1977 icedove
CVE-2016-2795 iceweasel
CVE-2016-1957 iceweasel
CVE-2016-2797 iceweasel
CVE-2016-1977 firefox
CVE-2016-1964 firefox
CVE-2016-2793 firefox
CVE-2016-2792 iceweasel
CVE-2016-2800 firefox
CVE-2016-2795 firefox
CVE-2016-2797 graphite2
CVE-2016-2798 graphite2
CVE-2016-2802 graphite2
CVE-2016-2799 graphite2
CVE-2016-2794 graphite2
CVE-2016-1964 icedove
CVE-2016-2791 graphite2
CVE-2016-2793 graphite2
CVE-2016-1960 icedove
CVE-2016-1961 firefox
CVE-2016-2796 firefox
CVE-2016-2792 firefox
CVE-2016-2793 icedove
CVE-2016-2794 firefox-esr
CVE-2016-1977 graphite2
CVE-2016-1974 firefox
CVE-2016-2795 firefox-esr
CVE-2016-2800 firefox-esr
CVE-2016-1954 firefox
CVE-2016-2794 iceweasel
CVE-2016-1957 firefox-esr
CVE-2016-2796 firefox-esr
CVE-2016-1977 iceweasel
CVE-2016-1966 iceweasel
CVE-2016-2796 graphite2
CVE-2016-2790 graphite2
CVE-2016-2795 graphite2
CVE-2016-1966 firefox
CVE-2016-1957 firefox
CVE-2016-2802 firefox
CVE-2016-1954
CVE-2016-2801
CVE-2016-1952
CVE-2016-1960
CVE-2016-2797
CVE-2016-2791
CVE-2016-2794
CVE-2016-1964
CVE-2016-2802
CVE-2016-2793
CVE-2016-1961
CVE-2016-2798
CVE-2016-2792
CVE-2016-1974
CVE-2016-2795
CVE-2016-2799
CVE-2016-2796
CVE-2016-1977
CVE-2016-1966
CVE-2016-2790
CVE-2016-2800
CVE-2016-1957
2017-04-01 19:09
2017-01-05 20:14

Description


An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960,
CVE-2016-1961, CVE-2016-1974, CVE-2016-1964, CVE-2016-1966)

Multiple security flaws were found in the graphite2 font library shipped
with Thunderbird. A web page containing malicious content could cause
Thunderbird to crash or, potentially, execute arbitrary code with the
privileges of the user running Thunderbird. (CVE-2016-1977, CVE-2016-2790,
CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795,
CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800,
CVE-2016-2801, CVE-2016-2802)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christoph Diehl, Christian Holler, Andrew
McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Nicolas
Golubovic, Jose Martinez, Romina Santillan, ca0nguyen, lokihardt, Nicolas
Grégoire, the Communications Electronics Security Group (UK) of the GCHQ,
Holger Fuhrmannek, Ronald Crane, and Tyson Smith as the original reporters
of these issues.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.7.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.7.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
5 thunderbird thunderbird-38.7.0-1.el5.centos.i386.rpm
thunderbird thunderbird-38.7.0-1.el5.centos.src.rpm
thunderbird thunderbird-38.7.0-1.el5.centos.x86_64.rpm
6 thunderbird thunderbird-38.7.0-1.el6.centos.i686.rpm
thunderbird thunderbird-38.7.0-1.el6.centos.src.rpm
thunderbird thunderbird-38.7.0-1.el6.centos.x86_64.rpm
7 thunderbird thunderbird-38.7.0-1.el7.centos.src.rpm
thunderbird thunderbird-38.7.0-1.el7.centos.x86_64.rpm