1. Home
  2. Security Advisories
  3. OpenSUSE
  4. openSUSE-SU-2018:3687-1

[openSUSE-SU-2018:3687-1] Security update for MozillaThunderbird

Severity Important
Affected Packages 4
CVEs 25
Info Packages References Vulnerabilities

Security update for MozillaThunderbird

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues.

Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25 and MFSA 2018-28.
In general, these flaws cannot be exploited through email in Thunderbird because scripting
is disabled when reading mail, but are potentially risks in browser or browser-like contexts:

  • CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998)
  • CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998)
  • CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998)
  • CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998)
  • CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998)
  • CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998)
  • CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998)
  • CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998)
  • CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998)
  • CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998)
  • CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998)
  • CVE-2018-5187: Various memory safety bugs (bsc#1098998)
  • CVE-2018-5188: Various memory safety bugs (bsc#1098998)
  • CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
  • CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
  • CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
  • CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343)
  • CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)
  • CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
  • CVE-2018-12389: Fixed memory safety bugs (bsc#1112852)
  • CVE-2018-12390: Fixed memory safety bugs (bsc#1112852)
  • CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible cross-origin (bsc#1112852)
  • CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852)
  • CVE-2018-12393: Fixed integer overflow during Unicode conversion while loading JavaScript (bsc#1112852)

These non-security issues were fixed:

  • Fix date display issues (bsc#1109379)
  • Fix start-up crash due to folder name with special characters (bsc#1107772)
  • Storing of remote content settings fixed (bsc#1084603)
  • Improved message handling and composing
  • Improved handling of message templates
  • Support for OAuth2 and FIDO U2F
  • Various Calendar improvements
  • Various fixes and changes to e-mail workflow
  • Various IMAP fixes
  • Native desktop notifications
  • various theme fixes
  • Shift+PageUp/PageDown in Write window
  • Gloda attachment filtering
  • Mailing list address auto-complete enter/return handling
  • Thunderbird hung if HTML signature references non-existent image
  • Filters not working for headers that appear more than once
Package Affected Version
pkg:rpm/opensuse/MozillaThunderbird?arch=x86_64&distro=opensuse-12&repo=suse-package-hub < 60.3.0-74.2
pkg:rpm/opensuse/MozillaThunderbird-translations-other?arch=x86_64&distro=opensuse-12&repo=suse-package-hub < 60.3.0-74.2
pkg:rpm/opensuse/MozillaThunderbird-translations-common?arch=x86_64&distro=opensuse-12&repo=suse-package-hub < 60.3.0-74.2
pkg:rpm/opensuse/MozillaThunderbird-buildsymbols?arch=x86_64&distro=opensuse-12&repo=suse-package-hub < 60.3.0-74.2
ID
openSUSE-SU-2018:3687-1
Severity
important
URL
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4/#BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4
Published
2018-11-09T08:34:29
(5 years ago)
Modified
2018-11-09T08:34:29
(5 years ago)
Rights
Copyright 2024 SUSE LLC. All rights reserved.
Other Advisories
Source # ID Name URL
Suse SUSE ratings https://www.suse.com/support/security/rating/
Suse URL of this CSAF notice https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2018_3687-1.json
Suse URL for openSUSE-SU-2018:3687-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4/#BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4
Suse E-Mail link for openSUSE-SU-2018:3687-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4/#BBHDVB7NPDAZXEW2BECURXKYFEGTTUL4
Bugzilla SUSE Bug 1066489 https://bugzilla.suse.com/1066489
Bugzilla SUSE Bug 1084603 https://bugzilla.suse.com/1084603
Bugzilla SUSE Bug 1098998 https://bugzilla.suse.com/1098998
Bugzilla SUSE Bug 1107343 https://bugzilla.suse.com/1107343
Bugzilla SUSE Bug 1107772 https://bugzilla.suse.com/1107772
Bugzilla SUSE Bug 1109363 https://bugzilla.suse.com/1109363
Bugzilla SUSE Bug 1109379 https://bugzilla.suse.com/1109379
Bugzilla SUSE Bug 1112852 https://bugzilla.suse.com/1112852
CVE SUSE CVE CVE-2017-16541 page https://www.suse.com/security/cve/CVE-2017-16541/
CVE SUSE CVE CVE-2018-12359 page https://www.suse.com/security/cve/CVE-2018-12359/
CVE SUSE CVE CVE-2018-12360 page https://www.suse.com/security/cve/CVE-2018-12360/
CVE SUSE CVE CVE-2018-12361 page https://www.suse.com/security/cve/CVE-2018-12361/
CVE SUSE CVE CVE-2018-12362 page https://www.suse.com/security/cve/CVE-2018-12362/
CVE SUSE CVE CVE-2018-12363 page https://www.suse.com/security/cve/CVE-2018-12363/
CVE SUSE CVE CVE-2018-12364 page https://www.suse.com/security/cve/CVE-2018-12364/
CVE SUSE CVE CVE-2018-12365 page https://www.suse.com/security/cve/CVE-2018-12365/
CVE SUSE CVE CVE-2018-12366 page https://www.suse.com/security/cve/CVE-2018-12366/
CVE SUSE CVE CVE-2018-12367 page https://www.suse.com/security/cve/CVE-2018-12367/
CVE SUSE CVE CVE-2018-12371 page https://www.suse.com/security/cve/CVE-2018-12371/
CVE SUSE CVE CVE-2018-12376 page https://www.suse.com/security/cve/CVE-2018-12376/
CVE SUSE CVE CVE-2018-12377 page https://www.suse.com/security/cve/CVE-2018-12377/
CVE SUSE CVE CVE-2018-12378 page https://www.suse.com/security/cve/CVE-2018-12378/
CVE SUSE CVE CVE-2018-12383 page https://www.suse.com/security/cve/CVE-2018-12383/
CVE SUSE CVE CVE-2018-12385 page https://www.suse.com/security/cve/CVE-2018-12385/
CVE SUSE CVE CVE-2018-12389 page https://www.suse.com/security/cve/CVE-2018-12389/
CVE SUSE CVE CVE-2018-12390 page https://www.suse.com/security/cve/CVE-2018-12390/
CVE SUSE CVE CVE-2018-12391 page https://www.suse.com/security/cve/CVE-2018-12391/
CVE SUSE CVE CVE-2018-12392 page https://www.suse.com/security/cve/CVE-2018-12392/
CVE SUSE CVE CVE-2018-12393 page https://www.suse.com/security/cve/CVE-2018-12393/
CVE SUSE CVE CVE-2018-16541 page https://www.suse.com/security/cve/CVE-2018-16541/
CVE SUSE CVE CVE-2018-5156 page https://www.suse.com/security/cve/CVE-2018-5156/
CVE SUSE CVE CVE-2018-5187 page https://www.suse.com/security/cve/CVE-2018-5187/
CVE SUSE CVE CVE-2018-5188 page https://www.suse.com/security/cve/CVE-2018-5188/
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/opensuse/MozillaThunderbird?arch=x86_64&distro=opensuse-12&repo=suse-package-hub opensuse MozillaThunderbird < 60.3.0-74.2 opensuse-12 x86_64
Affected pkg:rpm/opensuse/MozillaThunderbird-translations-other?arch=x86_64&distro=opensuse-12&repo=suse-package-hub opensuse MozillaThunderbird-translations-other < 60.3.0-74.2 opensuse-12 x86_64
Affected pkg:rpm/opensuse/MozillaThunderbird-translations-common?arch=x86_64&distro=opensuse-12&repo=suse-package-hub opensuse MozillaThunderbird-translations-common < 60.3.0-74.2 opensuse-12 x86_64
Affected pkg:rpm/opensuse/MozillaThunderbird-buildsymbols?arch=x86_64&distro=opensuse-12&repo=suse-package-hub opensuse MozillaThunderbird-buildsymbols < 60.3.0-74.2 opensuse-12 x86_64
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date