An updated thunderbird package that fixes three security issues is nowavailable for Red Hat Enterprise Linux 5 and 6.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.Two flaws were found in the processing of malformed web content. A web pagecontaining malicious content could cause Firefox to crash or, potentially,execute arbitrary code with the privileges of the user running Firefox.(CVE-2014-8634, CVE-2014-8639)It was found that the Beacon interface implementation in Thunderbird didnot follow the Cross-Origin Resource Sharing (CORS) specification. A webpage containing malicious content could allow a remote attacker to conducta Cross-Site Request Forgery (XSRF) attack. (CVE-2014-8638)Note: All of the above issues cannot be exploited by a specially craftedHTML mail message as JavaScript is disabled by default for mail messages.They could be exploited another way in Thunderbird, for example, whenviewing the full remote content of an RSS feed.Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Christian Holler, Patrick McManus, Muneaki Nishimura,and Xiaofeng Zheng as the original reporters of these issues.For technical details regarding these flaws, refer to the Mozilla securityadvisories for Thunderbird 31.4.0. You can find a link to the Mozillaadvisories in the References section of this erratum.All Thunderbird users should upgrade to this updated package, whichcontains Thunderbird version 31.4.0, which corrects these issues.After installing the update, Thunderbird must be restarted for the changesto take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/articles/11258RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-31.4.0-1.el5_11.src.rpm
    MD5: 9919cb4cc9f51901c74002de6806bcf9SHA-256: 7e68fdfb358f77deaabd77a087800600d320bf599d383a20d7bf5df7215fa66f
 
IA-32:
thunderbird-31.4.0-1.el5_11.i386.rpm
    MD5: 21723ad7a27bf13613aba17114e38bc4SHA-256: 68fb7a79a4ce58ac1d8b35547f0418ded553cdc5af39fb0d3f2c8f3cb4305012
thunderbird-debuginfo-31.4.0-1.el5_11.i386.rpm
    MD5: 776e2287c37c2997f6eba4507363c12bSHA-256: 00151c277c3ed202b39c8ab9a5939a80e1e2ab4c2c2ccf11b53fd5f8b22b8b73
 
x86_64:
thunderbird-31.4.0-1.el5_11.x86_64.rpm
    MD5: 307fb917834ea7af4a51ab8a5b6f3c9bSHA-256: 01a7e6f46e6af9466da7cf26756cc0e5467b9788dc9f08f9a36b75481bfa489e
thunderbird-debuginfo-31.4.0-1.el5_11.x86_64.rpm
    MD5: 06b90bbac44e73d0d5a290deeda682abSHA-256: 3c5fda1ec287ebbdc22689f9bb60a92f9d36cadc2717febe70073868385df3ba
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-31.4.0-1.el5_11.src.rpm
    MD5: 9919cb4cc9f51901c74002de6806bcf9SHA-256: 7e68fdfb358f77deaabd77a087800600d320bf599d383a20d7bf5df7215fa66f
 
IA-32:
thunderbird-31.4.0-1.el5_11.i386.rpm
    MD5: 21723ad7a27bf13613aba17114e38bc4SHA-256: 68fb7a79a4ce58ac1d8b35547f0418ded553cdc5af39fb0d3f2c8f3cb4305012
thunderbird-debuginfo-31.4.0-1.el5_11.i386.rpm
    MD5: 776e2287c37c2997f6eba4507363c12bSHA-256: 00151c277c3ed202b39c8ab9a5939a80e1e2ab4c2c2ccf11b53fd5f8b22b8b73
 
x86_64:
thunderbird-31.4.0-1.el5_11.x86_64.rpm
    MD5: 307fb917834ea7af4a51ab8a5b6f3c9bSHA-256: 01a7e6f46e6af9466da7cf26756cc0e5467b9788dc9f08f9a36b75481bfa489e
thunderbird-debuginfo-31.4.0-1.el5_11.x86_64.rpm
    MD5: 06b90bbac44e73d0d5a290deeda682abSHA-256: 3c5fda1ec287ebbdc22689f9bb60a92f9d36cadc2717febe70073868385df3ba
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-31.4.0-1.el6_6.src.rpm
    MD5: e7486f3d360453654dd486a0bc8878cdSHA-256: 8f032c3c7e1fdc92bf176683d928d1f891ca76c8dec57b90e9e805b6312a8083
 
IA-32:
thunderbird-31.4.0-1.el6_6.i686.rpm
    MD5: 33eb4b48415eba4fbea6c2a6d4aa9cd0SHA-256: d71eaef24557ef08e2dd397a002957542e0dd30050e8ba8a306ccf0a6f550dd1
thunderbird-debuginfo-31.4.0-1.el6_6.i686.rpm
    MD5: 0a90f1f9837307c149c9b4b04858aff8SHA-256: 06f892b22c2c7cb93dc126fe8719a93d490fa6aeed0da7419f0e53313abf33f9
 
x86_64:
thunderbird-31.4.0-1.el6_6.x86_64.rpm
    MD5: 2595c579ed41180d0e86965816b932b8SHA-256: 39d0a90406561b9b0f57bc9497de21930d62438312f38c512c699ce20d62df35
thunderbird-debuginfo-31.4.0-1.el6_6.x86_64.rpm
    MD5: 0e595e936c0d488e6921972416062e6eSHA-256: b1e8b7fff8b253a9272b49d667a94cdeba97f432dd2b7d43b1a7c3f0d4405309
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-31.4.0-1.el6_6.src.rpm
    MD5: e7486f3d360453654dd486a0bc8878cdSHA-256: 8f032c3c7e1fdc92bf176683d928d1f891ca76c8dec57b90e9e805b6312a8083
 
IA-32:
thunderbird-31.4.0-1.el6_6.i686.rpm
    MD5: 33eb4b48415eba4fbea6c2a6d4aa9cd0SHA-256: d71eaef24557ef08e2dd397a002957542e0dd30050e8ba8a306ccf0a6f550dd1
thunderbird-debuginfo-31.4.0-1.el6_6.i686.rpm
    MD5: 0a90f1f9837307c149c9b4b04858aff8SHA-256: 06f892b22c2c7cb93dc126fe8719a93d490fa6aeed0da7419f0e53313abf33f9
 
PPC:
thunderbird-31.4.0-1.el6_6.ppc64.rpm
    MD5: c1f278cc43b2a4fef3928eb24083f3d1SHA-256: 43052d61eb85892f0a42ff19c2949c34e2bd93d13705cae35455eb5033d55807
thunderbird-debuginfo-31.4.0-1.el6_6.ppc64.rpm
    MD5: fe56ebc0348f48cd1945074780a74424SHA-256: 0a6894fef5ef9b4e959d439d95009c9bfdd01aa3a3df7fce309a0300ec896095
 
s390x:
thunderbird-31.4.0-1.el6_6.s390x.rpm
    MD5: 94469a81c1f1cb01392b6b574909c43bSHA-256: 036271bf4bb4945e0380d6ad90be8ec96542a1ac8fa51f3afb82a01381a137e2
thunderbird-debuginfo-31.4.0-1.el6_6.s390x.rpm
    MD5: 8882f0b2a0f2b9c22654d2741ff6753aSHA-256: 7c0a4986e8bc7ff003d1d73557943a0ac835335ec4b0a430dfc1fcc8522de7d6
 
x86_64:
thunderbird-31.4.0-1.el6_6.x86_64.rpm
    MD5: 2595c579ed41180d0e86965816b932b8SHA-256: 39d0a90406561b9b0f57bc9497de21930d62438312f38c512c699ce20d62df35
thunderbird-debuginfo-31.4.0-1.el6_6.x86_64.rpm
    MD5: 0e595e936c0d488e6921972416062e6eSHA-256: b1e8b7fff8b253a9272b49d667a94cdeba97f432dd2b7d43b1a7c3f0d4405309
 
Red Hat Enterprise Linux Server EUS (v. 6.6.z)

SRPMS:
thunderbird-31.4.0-1.el6_6.src.rpm
    MD5: e7486f3d360453654dd486a0bc8878cdSHA-256: 8f032c3c7e1fdc92bf176683d928d1f891ca76c8dec57b90e9e805b6312a8083
 
IA-32:
thunderbird-31.4.0-1.el6_6.i686.rpm
    MD5: 33eb4b48415eba4fbea6c2a6d4aa9cd0SHA-256: d71eaef24557ef08e2dd397a002957542e0dd30050e8ba8a306ccf0a6f550dd1
thunderbird-debuginfo-31.4.0-1.el6_6.i686.rpm
    MD5: 0a90f1f9837307c149c9b4b04858aff8SHA-256: 06f892b22c2c7cb93dc126fe8719a93d490fa6aeed0da7419f0e53313abf33f9
 
PPC:
thunderbird-31.4.0-1.el6_6.ppc64.rpm
    MD5: c1f278cc43b2a4fef3928eb24083f3d1SHA-256: 43052d61eb85892f0a42ff19c2949c34e2bd93d13705cae35455eb5033d55807
thunderbird-debuginfo-31.4.0-1.el6_6.ppc64.rpm
    MD5: fe56ebc0348f48cd1945074780a74424SHA-256: 0a6894fef5ef9b4e959d439d95009c9bfdd01aa3a3df7fce309a0300ec896095
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-31.4.0-1.el6_6.src.rpm
    MD5: e7486f3d360453654dd486a0bc8878cdSHA-256: 8f032c3c7e1fdc92bf176683d928d1f891ca76c8dec57b90e9e805b6312a8083
 
IA-32:
thunderbird-31.4.0-1.el6_6.i686.rpm
    MD5: 33eb4b48415eba4fbea6c2a6d4aa9cd0SHA-256: d71eaef24557ef08e2dd397a002957542e0dd30050e8ba8a306ccf0a6f550dd1
thunderbird-debuginfo-31.4.0-1.el6_6.i686.rpm
    MD5: 0a90f1f9837307c149c9b4b04858aff8SHA-256: 06f892b22c2c7cb93dc126fe8719a93d490fa6aeed0da7419f0e53313abf33f9
 
x86_64:
thunderbird-31.4.0-1.el6_6.x86_64.rpm
    MD5: 2595c579ed41180d0e86965816b932b8SHA-256: 39d0a90406561b9b0f57bc9497de21930d62438312f38c512c699ce20d62df35
thunderbird-debuginfo-31.4.0-1.el6_6.x86_64.rpm
    MD5: 0e595e936c0d488e6921972416062e6eSHA-256: b1e8b7fff8b253a9272b49d667a94cdeba97f432dd2b7d43b1a7c3f0d4405309
 
(The unlinked packages above are only available from the Red Hat Network)
1180962 – CVE-2014-8634 Mozilla: Miscellaneous memory safety hazards (rv:31.4) (MFSA 2015-01)1180966 – CVE-2014-8638 Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03)1180967 – CVE-2014-8639 Mozilla: Cookie injection through Proxy Authenticate responses (MFSA 2015-04)

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply