openSUSE-SU-2018:3687-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2018:3687-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2018:3687-1
Related
Published
2018-11-09T08:34:29Z
Modified
2018-11-09T08:34:29Z
Summary
Security update for MozillaThunderbird
Details

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues.

Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25 and MFSA 2018-28. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts:

  • CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998)
  • CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998)
  • CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998)
  • CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998)
  • CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998)
  • CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998)
  • CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998)
  • CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998)
  • CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998)
  • CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998)
  • CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998)
  • CVE-2018-5187: Various memory safety bugs (bsc#1098998)
  • CVE-2018-5188: Various memory safety bugs (bsc#1098998)
  • CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
  • CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
  • CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
  • CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343)
  • CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)
  • CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
  • CVE-2018-12389: Fixed memory safety bugs (bsc#1112852)
  • CVE-2018-12390: Fixed memory safety bugs (bsc#1112852)
  • CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible cross-origin (bsc#1112852)
  • CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852)
  • CVE-2018-12393: Fixed integer overflow during Unicode conversion while loading JavaScript (bsc#1112852)

These non-security issues were fixed:

  • Fix date display issues (bsc#1109379)
  • Fix start-up crash due to folder name with special characters (bsc#1107772)
  • Storing of remote content settings fixed (bsc#1084603)
  • Improved message handling and composing
  • Improved handling of message templates
  • Support for OAuth2 and FIDO U2F
  • Various Calendar improvements
  • Various fixes and changes to e-mail workflow
  • Various IMAP fixes
  • Native desktop notifications
  • various theme fixes
  • Shift+PageUp/PageDown in Write window
  • Gloda attachment filtering
  • Mailing list address auto-complete enter/return handling
  • Thunderbird hung if HTML signature references non-existent image
  • Filters not working for headers that appear more than once
References

Affected packages

SUSE:Package Hub 12 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
60.3.0-74.2

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird-buildsymbols": "60.3.0-74.2",
            "MozillaThunderbird": "60.3.0-74.2",
            "MozillaThunderbird-translations-other": "60.3.0-74.2",
            "MozillaThunderbird-translations-common": "60.3.0-74.2"
        }
    ]
}