-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2023:5438-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5438
Issue date:        2023-10-04
CVE Names:         CVE-2023-3600 CVE-2023-5169 CVE-2023-5171 
                   CVE-2023-5176 CVE-2023-5217 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.3.1.

Security Fix(es):

* firefox: use-after-free in workers (CVE-2023-3600)

* Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169)

* Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171)

* Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and
Thunderbird 115.3 (CVE-2023-5176)

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2222652 - CVE-2023-3600 firefox: use-after-free in workers
2240893 - CVE-2023-5169 Mozilla: Out-of-bounds write in PathOps
2240894 - CVE-2023-5171 Mozilla: Use-after-free in Ion Compiler
2240896 - CVE-2023-5176 Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3
2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:
thunderbird-115.3.1-1.el8_1.src.rpm

ppc64le:
thunderbird-115.3.1-1.el8_1.ppc64le.rpm
thunderbird-debuginfo-115.3.1-1.el8_1.ppc64le.rpm
thunderbird-debugsource-115.3.1-1.el8_1.ppc64le.rpm

x86_64:
thunderbird-115.3.1-1.el8_1.x86_64.rpm
thunderbird-debuginfo-115.3.1-1.el8_1.x86_64.rpm
thunderbird-debugsource-115.3.1-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3600
https://access.redhat.com/security/cve/CVE-2023-5169
https://access.redhat.com/security/cve/CVE-2023-5171
https://access.redhat.com/security/cve/CVE-2023-5176
https://access.redhat.com/security/cve/CVE-2023-5217
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlHYRmAAoJENzjgjWX9erE0twP/j57U4dEN54dRtgb9DRVkNd9
2tH2nHg/JnuePH1/yjhzEvlQZNHGEnH3zIas2y7fPp4pHm0pSxRPmZXLJ4Zct1iA
bBKfx1e5gofvmrsShtCmA0Ty5s1DtKvKkVqiNv8uj1feWClUj+5h4uHXR1lnexmn
NNjLR6H37G201lUKs+baq8bxUXZou7nd+jvQTTdYnP2Hq2tL9XrOT77yve43ybv1
N1uiFjbZ57w+/1FVtrJ8UkUDdnesA430bnwt0FTyBwkl0wny6dVNYYHWIg21Y4Ch
3yMoer1gVQfYTvZAAwJksFWCil4WZ3rvjFXYssbCjXgbOT0gLdLxnUFhtBSFXqnN
zJq++Kpg6udOusHKdHtO4WL7hWf8PcbhHldLhSSUvAAYI18rZGQhJBjAzZ6JspHo
JzS35dBV4logn/JaclaB7AR/zHH/ZNrdl0DgDVkNRLP9pJAk5BHl1n/h5x6A5Y7T
XC2UT5FBkR+VLU2Dkfr6E1wHxdbCwQDJxwvhRgtokP3H7eGBPSUsMGYjNq1U1smn
TGg0gaEFn3p1wBkfJJdT6THk7ehF8XBW3EzEhHfBnmh13rWoGmNJuUiG0FGVxo5H
rrDbp1ADFw9kSWrO5Sk12LkYDR+zm5SMGd9qZKEpHfzP0vvPZHYLG5+iexvoR2Wi
6S8zGrSdbYkfij3yxAew
=wHgB
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-5438:01 Important: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Summary

Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 115.3.1.
Security Fix(es):
* firefox: use-after-free in workers (CVE-2023-3600)
* Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169)
* Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171)
* Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5176)
* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to take effect.

References

https://access.redhat.com/security/cve/CVE-2023-3600 https://access.redhat.com/security/cve/CVE-2023-5169 https://access.redhat.com/security/cve/CVE-2023-5171 https://access.redhat.com/security/cve/CVE-2023-5176 https://access.redhat.com/security/cve/CVE-2023-5217 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux AppStream E4S (v. 8.1):
Source: thunderbird-115.3.1-1.el8_1.src.rpm
ppc64le: thunderbird-115.3.1-1.el8_1.ppc64le.rpm thunderbird-debuginfo-115.3.1-1.el8_1.ppc64le.rpm thunderbird-debugsource-115.3.1-1.el8_1.ppc64le.rpm
x86_64: thunderbird-115.3.1-1.el8_1.x86_64.rpm thunderbird-debuginfo-115.3.1-1.el8_1.x86_64.rpm thunderbird-debugsource-115.3.1-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:5438-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5438
Issued Date: : 2023-10-04
CVE Names: CVE-2023-3600 CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64


Bugs Fixed

2222652 - CVE-2023-3600 firefox: use-after-free in workers

2240893 - CVE-2023-5169 Mozilla: Out-of-bounds write in PathOps

2240894 - CVE-2023-5171 Mozilla: Use-after-free in Ion Compiler

2240896 - CVE-2023-5176 Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved