This advisory covers a security update for Mozilla Thunderbird provided by Red Hat, upgrading the software to version 115.11.0. The update fixes six distinct vulnerabilities: CVE-2024-4367 (arbitrary JavaScript execution in PDF.js), CVE-2024-4767 (IndexedDB files retained in private browsing mode), CVE-2024-4768 (permissions request bypass via clickjacking), CVE-2024-4769 (cross-origin response content-type distinction), CVE-2024-4770 (use-after-free when printing to PDF), and CVE-2024-4777 (memory safety bugs). These issues affect Thunderbird as packaged for Red Hat Enterprise Linux 8.2 AUS. Red Hat rates the security impact as moderate and provides an official update to remediate these vulnerabilities.

The vulnerabilities fixed include arbitrary JavaScript execution which could allow malicious code execution via PDF.js, privacy issues with IndexedDB files being retained in private browsing mode, potential bypass of permissions requests through clickjacking, information disclosure through cross-origin response content-type distinctions, use-after-free memory corruption when printing to PDF, and other memory safety bugs. These issues could lead to unauthorized code execution, privacy breaches, or application crashes. The overall security impact is rated moderate by Red Hat.

An official security update to Thunderbird version 115.11.0 is available from Red Hat for Red Hat Enterprise Linux 8.2 AUS. Users should apply this update promptly. All running instances of Thunderbird must be restarted for the update to take effect. Refer to the Red Hat advisory RHSA-2024:3338 for detailed update instructions. Patch status is confirmed as fixed in Thunderbird 115.11.0.