openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2018:3051-1
Rating:             important
References:         #1066489 #1084603 #1098998 #1107343 #1107772 
                    #1109363 #1109379 
Cross-References:   CVE-2017-16541 CVE-2018-12359 CVE-2018-12360
                    CVE-2018-12361 CVE-2018-12362 CVE-2018-12363
                    CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
                    CVE-2018-12367 CVE-2018-12371 CVE-2018-12376
                    CVE-2018-12377 CVE-2018-12378 CVE-2018-12383
                    CVE-2018-12385 CVE-2018-16541 CVE-2018-5156
                    CVE-2018-5187 CVE-2018-5188
Affected Products:
                    openSUSE Leap 42.3
                    openSUSE Leap 15.0
______________________________________________________________________________

   An update that fixes 20 vulnerabilities is now available.

Description:

   This update for Mozilla Thunderbird to version 60.2.1 fixes multiple
   issues.

   Multiple security issues were fixed in the Mozilla platform as advised in
   MFSA 2018-25. In general, these flaws cannot be exploited through email in
   Thunderbird because scripting is disabled when reading mail, but are
   potentially risks in browser or browser-like contexts:

   - CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
   - CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
   - CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
   - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR
     60.2 (bsc#1107343)
   - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
     (bsc#1109363)
   - CVE-2018-12383: Setting a master password did not delete unencrypted
     previously stored passwords (bsc#1107343)
   - CVE-2018-12359: Buffer overflow using computed size of canvas element
     (bsc#1098998)
   - CVE-2018-12360: Use-after-free when using focus() (bsc#1098998)
   - CVE-2018-12361: Integer overflow in SwizzleData (bsc#1098998)
   - CVE-2018-12362: Integer overflow in SSSE3 scaler (bsc#1098998)
   - CVE-2018-12363: Use-after-free when appending DOM nodes (bsc#1098998)
   - CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
     (bsc#1098998)
   - CVE-2018-12365: Compromised IPC child process can list local filenames
     (bsc#1098998)
   - CVE-2018-12371: Integer overflow in Skia library during edge builder
     allocation (bsc#1098998)
   - CVE-2018-12366: Invalid data handling during QCMS transformations
     (bsc#1098998)
   - CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
     (bsc#1098998)
   - CVE-2018-5156: Media recorder segmentation fault when track type is
     changed during capture (bsc#1098998)
   - CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
     and Thunderbird 60 (bsc#1098998)
   - CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
     Firefox ESR 52.9, and Thunderbird 60 (bsc#1098998)

   Other bugs fixes:

   - Fix date display issues (bsc#1109379)
   - Fix start-up crash due to folder name with special characters     (bsc#1107772)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2018-1139=1

   - openSUSE Leap 15.0:

      zypper in -t patch openSUSE-2018-1139=1



Package List:

   - openSUSE Leap 42.3 (x86_64):

      MozillaThunderbird-60.2.1-77.2
      MozillaThunderbird-buildsymbols-60.2.1-77.2
      MozillaThunderbird-debuginfo-60.2.1-77.2
      MozillaThunderbird-debugsource-60.2.1-77.2
      MozillaThunderbird-translations-common-60.2.1-77.2
      MozillaThunderbird-translations-other-60.2.1-77.2

   - openSUSE Leap 15.0 (x86_64):

      MozillaThunderbird-60.2.1-lp150.3.19.1
      MozillaThunderbird-buildsymbols-60.2.1-lp150.3.19.1
      MozillaThunderbird-debuginfo-60.2.1-lp150.3.19.1
      MozillaThunderbird-debugsource-60.2.1-lp150.3.19.1
      MozillaThunderbird-translations-common-60.2.1-lp150.3.19.1
      MozillaThunderbird-translations-other-60.2.1-lp150.3.19.1


References:

   https://www.suse.com/security/cve/CVE-2017-16541.html
   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12361.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12367.html
   https://www.suse.com/security/cve/CVE-2018-12371.html
   https://www.suse.com/security/cve/CVE-2018-12376.html
   https://www.suse.com/security/cve/CVE-2018-12377.html
   https://www.suse.com/security/cve/CVE-2018-12378.html
   https://www.suse.com/security/cve/CVE-2018-12383.html
   https://www.suse.com/security/cve/CVE-2018-12385.html
   https://www.suse.com/security/cve/CVE-2018-16541.html
   https://www.suse.com/security/cve/CVE-2018-5156.html
   https://www.suse.com/security/cve/CVE-2018-5187.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://bugzilla.suse.com/1066489
   https://bugzilla.suse.com/1084603
   https://bugzilla.suse.com/1098998
   https://bugzilla.suse.com/1107343
   https://bugzilla.suse.com/1107772
   https://bugzilla.suse.com/1109363
   https://bugzilla.suse.com/1109379

--

openSUSE: 2018:3051-1: important: MozillaThunderbird

October 6, 2018
An update that fixes 20 vulnerabilities is now available.

Description

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues. Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts: - CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343) - CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343) - CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489) - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343) - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363) - CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343) - CVE-2018-12359: Buffer overflow using computed size of canvas element (bsc#1098998) - CVE-2018-12360: Use-after-free when using focus() (bsc#1098998) - CVE-2018-12361: Integer overflow in SwizzleData (bsc#1098998) - CVE-2018-12362: Integer overflow in SSSE3 scaler (bsc#1098998) - CVE-2018-12363: Use-after-free when appending DOM nodes (bsc#1098998) - CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998) - CVE-2018-12365: Compromised IPC child process can list local filenames (bsc#1098998) - CVE-2018-12371: Integer overflow in Skia library during edge builder allocation (bsc#1098998) - CVE-2018-12366: Invalid data handling during QCMS transformations (bsc#1098998) - CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998) - CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture (bsc#1098998) - CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60 (bsc#1098998) - CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60 (bsc#1098998) Other bugs fixes: - Fix date display issues (bsc#1109379) - Fix start-up crash due to folder name with special characters (bsc#1107772)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-1139=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-1139=1


Package List

- openSUSE Leap 42.3 (x86_64): MozillaThunderbird-60.2.1-77.2 MozillaThunderbird-buildsymbols-60.2.1-77.2 MozillaThunderbird-debuginfo-60.2.1-77.2 MozillaThunderbird-debugsource-60.2.1-77.2 MozillaThunderbird-translations-common-60.2.1-77.2 MozillaThunderbird-translations-other-60.2.1-77.2 - openSUSE Leap 15.0 (x86_64): MozillaThunderbird-60.2.1-lp150.3.19.1 MozillaThunderbird-buildsymbols-60.2.1-lp150.3.19.1 MozillaThunderbird-debuginfo-60.2.1-lp150.3.19.1 MozillaThunderbird-debugsource-60.2.1-lp150.3.19.1 MozillaThunderbird-translations-common-60.2.1-lp150.3.19.1 MozillaThunderbird-translations-other-60.2.1-lp150.3.19.1


References

https://www.suse.com/security/cve/CVE-2017-16541.html https://www.suse.com/security/cve/CVE-2018-12359.html https://www.suse.com/security/cve/CVE-2018-12360.html https://www.suse.com/security/cve/CVE-2018-12361.html https://www.suse.com/security/cve/CVE-2018-12362.html https://www.suse.com/security/cve/CVE-2018-12363.html https://www.suse.com/security/cve/CVE-2018-12364.html https://www.suse.com/security/cve/CVE-2018-12365.html https://www.suse.com/security/cve/CVE-2018-12366.html https://www.suse.com/security/cve/CVE-2018-12367.html https://www.suse.com/security/cve/CVE-2018-12371.html https://www.suse.com/security/cve/CVE-2018-12376.html https://www.suse.com/security/cve/CVE-2018-12377.html https://www.suse.com/security/cve/CVE-2018-12378.html https://www.suse.com/security/cve/CVE-2018-12383.html https://www.suse.com/security/cve/CVE-2018-12385.html https://www.suse.com/security/cve/CVE-2018-16541.html https://www.suse.com/security/cve/CVE-2018-5156.html https://www.suse.com/security/cve/CVE-2018-5187.html https://www.suse.com/security/cve/CVE-2018-5188.html https://bugzilla.suse.com/1066489 https://bugzilla.suse.com/1084603 https://bugzilla.suse.com/1098998 https://bugzilla.suse.com/1107343 https://bugzilla.suse.com/1107772 https://bugzilla.suse.com/1109363 https://bugzilla.suse.com/1109379--


Severity
Announcement ID: openSUSE-SU-2018:3051-1
Rating: important
Affected Products: openSUSE Leap 42.3 openSUSE Leap 15.0

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved