[SUSE-SU-2019:0338-1] Security update for MozillaThunderbird

Severity Important

CVEs 10

Security update for MozillaThunderbird

This update for MozillaThunderbird to version 60.5 fixes the following issues:

Security vulnerabilities addressed (MSFA 2019-03 MSFA 2018-31 bsc#1122983 bsc#1119105):

CVE-2018-18500: Use-after-free parsing HTML5 stream
CVE-2018-18505: Privilege escalation through IPC channel messages
CVE-2016-5824 DoS (use-after-free) via a crafted ics file
CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
CVE-2018-18492: Use-after-free with select element
CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia
CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
CVE-2018-18498: Integer overflow when calculating buffer sizes for images
CVE-2018-12405: Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4

Other bug fixes and changes:

FileLink provider WeTransfer to upload large attachments
Thunderbird now allows the addition of OpenSearch search engines from a local XML file using a minimal user interface: [+] button to select a file an add, [-] to remove.
More search engines: Google and DuckDuckGo available by default in some locales
During account creation, Thunderbird will now detect servers using the Microsoft Exchange protocol. It will offer the installation of a 3rd party add-on (Owl) which supports that protocol.
Thunderbird now compatible with other WebExtension-based FileLink add-ons like the Dropbox add-on
New WebExtensions FileLink API to facilitate add-ons
Fix decoding problems for messages with less common charsets (cp932, cp936)
New messages in the drafts folder (and other special or virtual folders) will no longer be included in the new messages notification
Thunderbird 60 will migrate security databases (key3.db, cert8.db to key4.db, cert9.db).
Address book search and auto-complete slowness
Plain text markup with * for bold, / for italics, _ for underline and | for code did not work when the enclosed text contained non-ASCII characters
While composing a message, a link not removed when link location was removed in the link properties panel
Encoding problems when exporting address books or messages using the system charset. Messages are now always exported using the UTF-8 encoding
If the 'Date' header of a message was invalid, Jan 1970 or Dec 1969 was displayed. Now using date from 'Received' header instead.
Body search/filtering didn't reliably ignore content of tags
Inappropriate warning 'Thunderbird prevented the site (addons.thunderbird.net) from asking you to install software on your computer' when installing add-ons
Incorrect display of correspondents column since own email address was not always detected
Spurious (encoded newline) inserted into drafts and sent email
Double-clicking on a word in the Write window sometimes launched the Advanced Property Editor or Link Properties dialog
Fixe Cookie removal
'Download rest of message' was not working if global inbox was used
Fix Encoding problems for users (especially in Poland) when a file was sent via a folder using 'Sent to > Mail recipient' due to a problem in the Thunderbird MAPI interface
According to RFC 4616 and RFC 5721, passwords containing non-ASCII characters are encoded using UTF-8 which can lead to problems with non-compliant providers, for example office365.com. The SMTP LOGIN and POP3 USER/PASS authentication methods are now using a Latin-1 encoding again to work around this issue
Fix shutdown crash/hang after entering an empty IMAP password

ID

SUSE-SU-2019:0338-1

Severity

important

URL

https://www.suse.com/support/update/announcement/2019/suse-su-20190338-1/

Published

2019-02-12T14:59:10
(5 years ago)

Modified

2019-02-12T14:59:10
(5 years ago)

Rights

Other Advisories

Source	Name	URL
Suse	SUSE ratings	https://www.suse.com/support/security/rating/
Suse	URL of this CSAF notice	https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0338-1.json
Suse	URL for SUSE-SU-2019:0338-1	https://www.suse.com/support/update/announcement/2019/suse-su-20190338-1/
Suse	E-Mail link for SUSE-SU-2019:0338-1	https://lists.suse.com/pipermail/sle-security-updates/2019-February/005110.html
Bugzilla	SUSE Bug 1119105	https://bugzilla.suse.com/1119105
Bugzilla	SUSE Bug 1122983	https://bugzilla.suse.com/1122983
CVE	SUSE CVE CVE-2016-5824 page	https://www.suse.com/security/cve/CVE-2016-5824/
CVE	SUSE CVE CVE-2018-12405 page	https://www.suse.com/security/cve/CVE-2018-12405/
CVE	SUSE CVE CVE-2018-17466 page	https://www.suse.com/security/cve/CVE-2018-17466/
CVE	SUSE CVE CVE-2018-18492 page	https://www.suse.com/security/cve/CVE-2018-18492/
CVE	SUSE CVE CVE-2018-18493 page	https://www.suse.com/security/cve/CVE-2018-18493/
CVE	SUSE CVE CVE-2018-18494 page	https://www.suse.com/security/cve/CVE-2018-18494/
CVE	SUSE CVE CVE-2018-18498 page	https://www.suse.com/security/cve/CVE-2018-18498/
CVE	SUSE CVE CVE-2018-18500 page	https://www.suse.com/security/cve/CVE-2018-18500/
CVE	SUSE CVE CVE-2018-18501 page	https://www.suse.com/security/cve/CVE-2018-18501/
CVE	SUSE CVE CVE-2018-18505 page	https://www.suse.com/security/cve/CVE-2018-18505/

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date