Operating System:

[WIN][UNIX/Linux]

Published:

15 July 2019

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2019.2608 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2608
                        thunderbird security update
                               15 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           thunderbird
Publisher:         Debian
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11730 CVE-2019-11729 CVE-2019-11719
                   CVE-2019-11717 CVE-2019-11715 CVE-2019-11713
                   CVE-2019-11712 CVE-2019-11711 CVE-2019-11709
                   CVE-2019-9811  

Reference:         ASB-2019.0191

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4482

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4482-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 14, 2019                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-9811 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 
                 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11730

Multiple security issues have been found in Thunderbird which could
potentially result in the execution of arbitrary code, cross-site
scripting, spoofing, information disclosure, denial of service or
cross-site request forgery.

CVE-2019-11719 and CVE-2019-11729 are only addressed for stretch, in
buster Thunderbird uses the system-wide copy of NSS which will be updated
separately.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:60.8.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:60.8.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0ri4cACgkQEMKTtsN8
TjY5/w//cX9asGjzkVqqqklIbwcrhK043apPrbsyFygpESJvMRxITAWiMyIY5YBS
uNvhrZlrk7rOSayxTLMibUbRk5nJIRpi1GG+i1uCinXQF6xxtgSIfhRmxq7cwYFV
Eeie5/Cb3PwFODiELZfoTbzzWznLMbdiyFxGpIz8GrMZenSS/jszD6dCOvxfG1h2
XYJ62x9fxyonWHdnL9BhfTMXp9KrYyp6df68chl1QpSd0e+zCu4XHt4OZK8pyjU7
FPguEEO+rPwwhON+rGLPlA/BhtUW1LyilzLc3asLyw7eMmX3PV5jngs3xNjBXedi
5oJnRkWLKClCgwfzgoYuI2k5Kj4kezUZsdB6zadJknVnIPkQsaUIJou+moxPqgwK
fYJTolfw/6csC4h6QXTvV4BolMh9wwy/lDHavhQMHqROHuScEdyL//UGnt+HBM+Y
++xvv+18niyq4whOKQOGeqYejN1XjgYlmUXnRY3/xPyW6QC2MT3X3L5yYWYe/aFz
ufQunXYa+W8FOoggUQFGbCvz+xvusXxMxUoj3SDUxh4KKgvKt3mDIOWDUuCeX4YC
hLeQN7klnuCr4w7UDiVG8guW/tGKVV+Fv+OsF7BA9r0wENokWivCeny7tWEOlfyu
p5s5FvC9JYTphpo0WPmvytIHA7bk+1Z1v5N1VC9hwqp1fEdlMG8=
=E4v6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSwACGaOgq3Tt24GAQjjDBAA1/q/zjtfSL249D0IBV/w6Uq/gBzFwK2v
ppUXNwWwuXf39n0k5NcJCNYR51ocA/PoCRMqIKbhoqCCyoVQpOm2bejXQ7CA7HM+
mJk+zZtVbxmtv1LRscVzUYL2xwJ9hwOA62UCDQ5kZBuWaDZeJ8bJHdEd9CTK8H2H
Hr1cCyu+fQxa6mgP7XrOWaLPl3jT/RNdcwTOHwSDOIbAM1Km8CCn+7u+q69xslyY
hfkGmQnIqxXCXu98Bbvgygibm+NOarZRmXkjv9HulgccCKgZqDrMI6QRqn+RKDon
Gm3BtSe/HLkpyort7eBgvbB29EAoonnn1ZmQVQk1ZaoGoFaA8hLBVEKPvfwBKOe4
fqaISUuxaFQ9smgHmAx6YSe4TWlffxL/wQTHTspfdCyW3InjVvyutqCQa+qImX4+
GvVJCkmWr08ndaK0mmYOI0yWGf5+h+NyRsxKdsf+aB2HzZm16405iRC03945skbr
MNhePY+zpR5JNNAUX5fnT0lgCsQ4OKFT3tj9nyNruXN4lQEDqmYfxq0QYHReqfCc
biNOfzxDJXFSah48Slx810Jy3350ueVhQBr8Q7DBBE4zUI14b2rI8i09WZPUwbVv
sryU5dSVwBMDOA1Xa2AubQqj9i+OmB8vl3dFL2oD/SQ8eSP2TLKHTU5MVJVPrg10
UBXXVrJ7ij0=
=8ZZ2
-----END PGP SIGNATURE-----