openSUSE-SU-2018:3687-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2018:3687-1.json

JSON Data

https://api.osv.dev/v1/vulns/openSUSE-SU-2018:3687-1

Related

Published

2018-11-09T08:34:29Z

Modified

2018-11-09T08:34:29Z

Summary

Security update for MozillaThunderbird

Details

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues.

Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25 and MFSA 2018-28. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts:

CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998)
CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998)
CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998)
CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998)
CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998)
CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998)
CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998)
CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998)
CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998)
CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998)
CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998)
CVE-2018-5187: Various memory safety bugs (bsc#1098998)
CVE-2018-5188: Various memory safety bugs (bsc#1098998)
CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343)
CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)
CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
CVE-2018-12389: Fixed memory safety bugs (bsc#1112852)
CVE-2018-12390: Fixed memory safety bugs (bsc#1112852)
CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible cross-origin (bsc#1112852)
CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852)
CVE-2018-12393: Fixed integer overflow during Unicode conversion while loading JavaScript (bsc#1112852)

These non-security issues were fixed:

Fix date display issues (bsc#1109379)
Fix start-up crash due to folder name with special characters (bsc#1107772)
Storing of remote content settings fixed (bsc#1084603)
Improved message handling and composing
Improved handling of message templates
Support for OAuth2 and FIDO U2F
Various Calendar improvements
Various fixes and changes to e-mail workflow
Various IMAP fixes
Native desktop notifications
various theme fixes
Shift+PageUp/PageDown in Write window
Gloda attachment filtering
Mailing list address auto-complete enter/return handling
Thunderbird hung if HTML signature references non-existent image
Filters not working for headers that appear more than once

References

Affected packages

SUSE:Package Hub 12 / MozillaThunderbird

Package

Name: MozillaThunderbird
Purl: purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

60.3.0-74.2

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird-buildsymbols": "60.3.0-74.2",
            "MozillaThunderbird": "60.3.0-74.2",
            "MozillaThunderbird-translations-other": "60.3.0-74.2",
            "MozillaThunderbird-translations-common": "60.3.0-74.2"
        }
    ]
}