The updated thunderbird packages fix security issues: Covert Content Attack on S/MIME encryption using a crafted multipart/ alternative message. (CVE-2019-11739)

MGASA-2019-0285 - Updated thunderbird packages fix security vulnerabilities

Publication date: 21 Sep 2019
URL: https://advisories.mageia.org/MGASA-2019-0285.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-11739,
     CVE-2019-11740,
     CVE-2019-11742,
     CVE-2019-11743,
     CVE-2019-11744,
     CVE-2019-11746,
     CVE-2019-11752

The updated thunderbird packages fix security issues:

Covert Content Attack on S/MIME encryption using a crafted multipart/
alternative message. (CVE-2019-11739)

Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9,
Thunderbird 68.1, and Thunderbird 60.9. (CVE-2019-11740)

Same-origin policy violation with SVG filters and canvas to steal
cross-origin images. (CVE-2019-11742)

Cross-origin access to unload event attributes. (CVE-2019-11743)

XSS by breaking out of title and textarea elements using innerHTML.
(CVE-2019-11744)

Use-after-free while manipulating video. (CVE-2019-11746)

Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752)

References:
- https://bugs.mageia.org/show_bug.cgi?id=25435
- https://www.thunderbird.net/en-US/thunderbird/68.1.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-30/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11739
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752

SRPMS:
- 7/core/thunderbird-68.1.0-1.1.mga7
- 7/core/thunderbird-l10n-68.1.0-1.mga7