Nacionalni CERT

Sigurnosni nedostaci programskog paketa thunderbird

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />=====================================================================<br /> Red Hat Security Advisory<br /><br />Synopsis: Important: thunderbird security update<br />Advisory ID: RHSA-2017:2885-01<br />Product: Red Hat Enterprise Linux<br />Advisory URL: https://access.redhat.com/errata/RHSA-2017:2885<br />Issue date: 2017-10-11<br />CVE Names: CVE-2017-7793 CVE-2017-7810 CVE-2017-7814 <br /> CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 <br /> CVE-2017-7824 <br />=====================================================================<br /><br />1. Summary:<br /><br />An update for thunderbird is now available for Red Hat Enterprise Linux 6<br />and Red Hat Enterprise Linux 7.<br /><br />Red Hat Product Security has rated this update as having a security impact<br />of Important. A Common Vulnerability Scoring System (CVSS) base score,<br />which gives a detailed severity rating, is available for each vulnerability<br />from the CVE link(s) in the References section.<br /><br />2. Relevant releases/architectures:<br /><br />Red Hat Enterprise Linux Client (v. 7) - x86_64<br />Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64<br />Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64<br />Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64<br />Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64<br />Red Hat Enterprise Linux Workstation (v. 7) - x86_64<br /><br />3. Description:<br /><br />Mozilla Thunderbird is a standalone mail and newsgroup client.<br /><br />This update upgrades Thunderbird to version 52.4.0.<br /><br />Security Fix(es):<br /><br />* Multiple flaws were found in the processing of malformed web content. A<br />web page containing malicious content could cause Thunderbird to crash or,<br />potentially, execute arbitrary code with the privileges of the user running<br />Thunderbird. (CVE-2017-7810, CVE-2017-7793, CVE-2017-7818, CVE-2017-7819,<br />CVE-2017-7824, CVE-2017-7814, CVE-2017-7823)<br /><br />Red Hat would like to thank the Mozilla project for reporting these issues.<br />Upstream acknowledges Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell<br />Jesup, Tom Ritter, Tyson Smith, Sebastian Hengst, Abhishek Arya, Nils,<br />Omair, Andre Weissflog, François Marier, and Jun Kokatsu as the original<br />reporters.<br /><br />4. Solution:<br /><br />For details on how to apply this update, which includes the changes<br />described in this advisory, refer to:<br /><br />https://access.redhat.com/articles/11258<br /><br />All running instances of Thunderbird must be restarted for the update to<br />take effect.<br /><br />5. Bugs fixed (https://bugzilla.redhat.com/):<br /><br />1496649 - CVE-2017-7793 Mozilla: Use-after-free with Fetch API (MFSA 2017-22)<br />1496651 - CVE-2017-7810 Mozilla: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 (MFSA 2017-22)<br />1496652 - CVE-2017-7814 Mozilla: Blob and data URLs bypass phishing and malware protection warnings (MFSA 2017-22)<br />1496653 - CVE-2017-7818 Mozilla: Use-after-free during ARIA array manipulation (MFSA 2017-22)<br />1496654 - CVE-2017-7819 Mozilla: Use-after-free while resizing images in design mode (MFSA 2017-22)<br />1496655 - CVE-2017-7823 Mozilla: CSP sandbox directive did not create a unique origin (MFSA 2017-22)<br />1496656 - CVE-2017-7824 Mozilla: Buffer overflow when drawing and validating elements with ANGLE (MFSA 2017-22)<br /><br />6. Package List:<br /><br />Red Hat Enterprise Linux Desktop (v. 6):<br /><br />Source:<br />thunderbird-52.4.0-2.el6_9.src.rpm<br /><br />i386:<br />thunderbird-52.4.0-2.el6_9.i686.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.i686.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el6_9.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.x86_64.rpm<br /><br />Red Hat Enterprise Linux Server Optional (v. 6):<br /><br />Source:<br />thunderbird-52.4.0-2.el6_9.src.rpm<br /><br />i386:<br />thunderbird-52.4.0-2.el6_9.i686.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.i686.rpm<br /><br />ppc64:<br />thunderbird-52.4.0-2.el6_9.ppc64.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.ppc64.rpm<br /><br />s390x:<br />thunderbird-52.4.0-2.el6_9.s390x.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.s390x.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el6_9.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.x86_64.rpm<br /><br />Red Hat Enterprise Linux Workstation (v. 6):<br /><br />Source:<br />thunderbird-52.4.0-2.el6_9.src.rpm<br /><br />i386:<br />thunderbird-52.4.0-2.el6_9.i686.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.i686.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el6_9.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el6_9.x86_64.rpm<br /><br />Red Hat Enterprise Linux Client (v. 7):<br /><br />Source:<br />thunderbird-52.4.0-2.el7_4.src.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el7_4.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el7_4.x86_64.rpm<br /><br />Red Hat Enterprise Linux Server Optional (v. 7):<br /><br />Source:<br />thunderbird-52.4.0-2.el7_4.src.rpm<br /><br />aarch64:<br />thunderbird-52.4.0-2.el7_4.aarch64.rpm<br />thunderbird-debuginfo-52.4.0-2.el7_4.aarch64.rpm<br /><br />ppc64le:<br />thunderbird-52.4.0-2.el7_4.ppc64le.rpm<br />thunderbird-debuginfo-52.4.0-2.el7_4.ppc64le.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el7_4.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el7_4.x86_64.rpm<br /><br />Red Hat Enterprise Linux Workstation (v. 7):<br /><br />Source:<br />thunderbird-52.4.0-2.el7_4.src.rpm<br /><br />x86_64:<br />thunderbird-52.4.0-2.el7_4.x86_64.rpm<br />thunderbird-debuginfo-52.4.0-2.el7_4.x86_64.rpm<br /><br />These packages are GPG signed by Red Hat for security. Our key and<br />details on how to verify the signature are available from<br />https://access.redhat.com/security/team/key/<br /><br />7. References:<br /><br />https://access.redhat.com/security/cve/CVE-2017-7793<br />https://access.redhat.com/security/cve/CVE-2017-7810<br />https://access.redhat.com/security/cve/CVE-2017-7814<br />https://access.redhat.com/security/cve/CVE-2017-7818<br />https://access.redhat.com/security/cve/CVE-2017-7819<br />https://access.redhat.com/security/cve/CVE-2017-7823<br />https://access.redhat.com/security/cve/CVE-2017-7824<br />https://access.redhat.com/security/updates/classification/#important<br />https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/<br /><br />8. Contact:<br /><br />The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br />details at https://access.redhat.com/security/team/contact/<br /><br />Copyright 2017 Red Hat, Inc.<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iD8DBQFZ3qwTXlSAg2UNWIIRArjZAKDFO1TJ/WI8V4T2Mvakmr/Tv957iwCfXPMv<br />YqDnxYZmZwjOQCvlC0lLfPQ=<br />=gYSV<br />-----END PGP SIGNATURE-----<br /><br />--<br />RHSA-announce mailing list<br />RHSA-announce@redhat.com<br />https://www.redhat.com/mailman/listinfo/rhsa-announce</p>
Otkriveni su sigurnosni nedostaci u programskom paketu thunderbird za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju rušenje aplikacije ili izvršavanje proizvoljnog programskog koda s ovlastima korisnika. Savjetuje se ažuriranje izdanim zakrpama.