[SUSE-SU-2018:3247-1] Security update for MozillaThunderbird

Severity Important

CVEs 19

Security update for MozillaThunderbird

This update for MozillaThunderbird to version 60.2.1 fixes the following issues:

Update to Thunderbird 60.2.1:

Calendar: Default values for the first day of the week and working days are now derived from the selected datetime formatting locale
Calendar: Switch to a Photon-style icon set for all platforms
Fix multiple requests for master password when Google Mail or Calendar OAuth2 is enabled
Fix scrollbar of the address entry auto-complete popup
Fix security info dialog in compose window not showing certificate status
Fix links in the Add-on Manager's search results and theme browsing tabs that opened in external browser
Fix localization not showing the localized name for the 'Drafts' and 'Sent' folders for certain IMAP providers
Fix replying to a message with an empty subject which inserted Re: twice
Fix spellcheck marks disappeaing erroneously for words with an apostrophe
Calendar: First day of the week can now be set
Calendar: Several fixes related to cutting/deleting of events and email schedulin

These security issues were fixed:

CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998).
CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998).
CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998).
CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998).
CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998).
CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998).
CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998).
CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998).
CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998).
CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998).
CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998).
CVE-2018-5187: Various memory safety bugs (bsc#1098998).
CVE-2018-5188: Various memory safety bugs (bsc#1098998).
CVE-2018-12377: Prevent use-after-free in refresh driver timers (bsc#1107343)
CVE-2018-12378: Prevent use-after-free in IndexedDB (bsc#1107343)
CVE-2017-16541: Prevent proxy bypass using automount and autofs (bsc#1066489)
CVE-2018-12376: Fixed various memory safety bugs (bsc#1107343)
CVE-2018-12385: Fixed crash in TransportSecurityInfo due to cached data (bsc#1109363)
CVE-2018-12383: Fixed that setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

These can not, in general, be exploited through email, but are potential risks
in browser or browser-like contexts.

These non-security issues were fixed:

Storing of remote content settings fixed (bsc#1084603)
Improved message handling and composing
Improved handling of message templates
Support for OAuth2 and FIDO U2F
Various Calendar improvements
Various fixes and changes to e-mail workflow
Various IMAP fixes
Native desktop notifications
Fix date display issues (bsc#1109379)
Fix start-up crash due to folder name with special characters (bsc#1107772)

ID

SUSE-SU-2018:3247-1

Severity

important

URL

https://www.suse.com/support/update/announcement/2018/suse-su-20183247-1/

Published

2018-10-19T12:59:14
(6 years ago)

Modified

2018-10-19T12:59:14
(6 years ago)

Rights

Other Advisories

Source	Name	URL
Suse	SUSE ratings	https://www.suse.com/support/security/rating/
Suse	URL of this CSAF notice	https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_3247-1.json
Suse	URL for SUSE-SU-2018:3247-1	https://www.suse.com/support/update/announcement/2018/suse-su-20183247-1/
Suse	E-Mail link for SUSE-SU-2018:3247-1	https://lists.suse.com/pipermail/sle-security-updates/2018-October/004744.html
Bugzilla	SUSE Bug 1066489	https://bugzilla.suse.com/1066489
Bugzilla	SUSE Bug 1084603	https://bugzilla.suse.com/1084603
Bugzilla	SUSE Bug 1098998	https://bugzilla.suse.com/1098998
Bugzilla	SUSE Bug 1107343	https://bugzilla.suse.com/1107343
Bugzilla	SUSE Bug 1107772	https://bugzilla.suse.com/1107772
Bugzilla	SUSE Bug 1109363	https://bugzilla.suse.com/1109363
Bugzilla	SUSE Bug 1109379	https://bugzilla.suse.com/1109379
CVE	SUSE CVE CVE-2017-16541 page	https://www.suse.com/security/cve/CVE-2017-16541/
CVE	SUSE CVE CVE-2018-12359 page	https://www.suse.com/security/cve/CVE-2018-12359/
CVE	SUSE CVE CVE-2018-12360 page	https://www.suse.com/security/cve/CVE-2018-12360/
CVE	SUSE CVE CVE-2018-12361 page	https://www.suse.com/security/cve/CVE-2018-12361/
CVE	SUSE CVE CVE-2018-12362 page	https://www.suse.com/security/cve/CVE-2018-12362/
CVE	SUSE CVE CVE-2018-12363 page	https://www.suse.com/security/cve/CVE-2018-12363/
CVE	SUSE CVE CVE-2018-12364 page	https://www.suse.com/security/cve/CVE-2018-12364/
CVE	SUSE CVE CVE-2018-12365 page	https://www.suse.com/security/cve/CVE-2018-12365/
CVE	SUSE CVE CVE-2018-12366 page	https://www.suse.com/security/cve/CVE-2018-12366/
CVE	SUSE CVE CVE-2018-12367 page	https://www.suse.com/security/cve/CVE-2018-12367/
CVE	SUSE CVE CVE-2018-12371 page	https://www.suse.com/security/cve/CVE-2018-12371/
CVE	SUSE CVE CVE-2018-12376 page	https://www.suse.com/security/cve/CVE-2018-12376/
CVE	SUSE CVE CVE-2018-12377 page	https://www.suse.com/security/cve/CVE-2018-12377/
CVE	SUSE CVE CVE-2018-12378 page	https://www.suse.com/security/cve/CVE-2018-12378/
CVE	SUSE CVE CVE-2018-12383 page	https://www.suse.com/security/cve/CVE-2018-12383/
CVE	SUSE CVE CVE-2018-12385 page	https://www.suse.com/security/cve/CVE-2018-12385/
CVE	SUSE CVE CVE-2018-5156 page	https://www.suse.com/security/cve/CVE-2018-5156/
CVE	SUSE CVE CVE-2018-5187 page	https://www.suse.com/security/cve/CVE-2018-5187/
CVE	SUSE CVE CVE-2018-5188 page	https://www.suse.com/security/cve/CVE-2018-5188/

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date