openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2018:3687-1
Rating:             important
References:         #1066489 #1084603 #1098998 #1107343 #1107772 
                    #1109363 #1109379 #1112852 
Cross-References:   CVE-2017-16541 CVE-2018-12359 CVE-2018-12360
                    CVE-2018-12361 CVE-2018-12362 CVE-2018-12363
                    CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
                    CVE-2018-12367 CVE-2018-12371 CVE-2018-12376
                    CVE-2018-12377 CVE-2018-12378 CVE-2018-12383
                    CVE-2018-12385 CVE-2018-12389 CVE-2018-12390
                    CVE-2018-12391 CVE-2018-12392 CVE-2018-12393
                    CVE-2018-16541 CVE-2018-5156 CVE-2018-5187
                    CVE-2018-5188
Affected Products:
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that fixes 25 vulnerabilities is now available.

Description:

   This update for Mozilla Thunderbird to version 60.2.1 fixes multiple
   issues.

   Multiple security issues were fixed in the Mozilla platform as advised in
   MFSA 2018-25 and MFSA 2018-28. In general, these flaws cannot be exploited
   through email in Thunderbird because scripting is disabled when reading
   mail, but are potentially risks in browser or browser-like contexts:

   - CVE-2018-12359: Prevent buffer overflow using computed size of canvas
     element (bsc#1098998)
   - CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998)
   - CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998)
   - CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998)
   - CVE-2018-5156: Prevent media recorder segmentation fault when track type
     is changed during capture (bsc#1098998)
   - CVE-2018-12363: Prevent use-after-free when appending DOM nodes
     (bsc#1098998)
   - CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI
     plugins (bsc#1098998)
   - CVE-2018-12365: Prevent compromised IPC child process listing local
     filenames (bsc#1098998)
   - CVE-2018-12371: Prevent integer overflow in Skia library during edge
     builder allocation (bsc#1098998)
   - CVE-2018-12366: Prevent invalid data handling during QCMS
     transformations (bsc#1098998)
   - CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
     (bsc#1098998)
   - CVE-2018-5187: Various memory safety bugs (bsc#1098998)
   - CVE-2018-5188: Various memory safety bugs (bsc#1098998)
   - CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
   - CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
   - CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
   - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR
     60.2 (bsc#1107343)
   - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
     (bsc#1109363)
   - CVE-2018-12383: Setting a master password did not delete unencrypted
     previously stored passwords (bsc#1107343)
   - CVE-2018-12389: Fixed memory safety bugs (bsc#1112852)
   - CVE-2018-12390: Fixed memory safety bugs (bsc#1112852)
   - CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible
     cross-origin (bsc#1112852)
   - CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852)
   - CVE-2018-12393: Fixed integer overflow during Unicode conversion while
     loading JavaScript (bsc#1112852)

   These non-security issues were fixed:

   - Fix date display issues (bsc#1109379)
   - Fix start-up crash due to folder name with special characters     (bsc#1107772)
   - Storing of remote content settings fixed (bsc#1084603)
   - Improved message handling and composing
   - Improved handling of message templates
   - Support for OAuth2 and FIDO U2F
   - Various Calendar improvements
   - Various fixes and changes to e-mail workflow
   - Various IMAP fixes
   - Native desktop notifications
   - various theme fixes
   - Shift+PageUp/PageDown in Write window
   - Gloda attachment filtering
   - Mailing list address auto-complete enter/return handling
   - Thunderbird hung if HTML signature references non-existent image
   - Filters not working for headers that appear more than once


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2018-1360=1



Package List:

   - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):

      MozillaThunderbird-60.3.0-74.2
      MozillaThunderbird-buildsymbols-60.3.0-74.2
      MozillaThunderbird-translations-common-60.3.0-74.2
      MozillaThunderbird-translations-other-60.3.0-74.2


References:

   https://www.suse.com/security/cve/CVE-2017-16541.html
   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12361.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12367.html
   https://www.suse.com/security/cve/CVE-2018-12371.html
   https://www.suse.com/security/cve/CVE-2018-12376.html
   https://www.suse.com/security/cve/CVE-2018-12377.html
   https://www.suse.com/security/cve/CVE-2018-12378.html
   https://www.suse.com/security/cve/CVE-2018-12383.html
   https://www.suse.com/security/cve/CVE-2018-12385.html
   https://www.suse.com/security/cve/CVE-2018-12389.html
   https://www.suse.com/security/cve/CVE-2018-12390.html
   https://www.suse.com/security/cve/CVE-2018-12391.html
   https://www.suse.com/security/cve/CVE-2018-12392.html
   https://www.suse.com/security/cve/CVE-2018-12393.html
   https://www.suse.com/security/cve/CVE-2018-16541.html
   https://www.suse.com/security/cve/CVE-2018-5156.html
   https://www.suse.com/security/cve/CVE-2018-5187.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://bugzilla.suse.com/1066489
   https://bugzilla.suse.com/1084603
   https://bugzilla.suse.com/1098998
   https://bugzilla.suse.com/1107343
   https://bugzilla.suse.com/1107772
   https://bugzilla.suse.com/1109363
   https://bugzilla.suse.com/1109379
   https://bugzilla.suse.com/1112852

--

openSUSE: 2018:3687-1: important: MozillaThunderbird

November 9, 2018
An update that fixes 25 vulnerabilities is now available.

Description

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues. Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25 and MFSA 2018-28. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts: - CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998) - CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998) - CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998) - CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998) - CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998) - CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998) - CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998) - CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998) - CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998) - CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998) - CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998) - CVE-2018-5187: Various memory safety bugs (bsc#1098998) - CVE-2018-5188: Various memory safety bugs (bsc#1098998) - CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343) - CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343) - CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489) - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343) - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363) - CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343) - CVE-2018-12389: Fixed memory safety bugs (bsc#1112852) - CVE-2018-12390: Fixed memory safety bugs (bsc#1112852) - CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible cross-origin (bsc#1112852) - CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852) - CVE-2018-12393: Fixed integer overflow during Unicode conversion while loading JavaScript (bsc#1112852) These non-security issues were fixed: - Fix date display issues (bsc#1109379) - Fix start-up crash due to folder name with special characters (bsc#1107772) - Storing of remote content settings fixed (bsc#1084603) - Improved message handling and composing - Improved handling of message templates - Support for OAuth2 and FIDO U2F - Various Calendar improvements - Various fixes and changes to e-mail workflow - Various IMAP fixes - Native desktop notifications - various theme fixes - Shift+PageUp/PageDown in Write window - Gloda attachment filtering - Mailing list address auto-complete enter/return handling - Thunderbird hung if HTML signature references non-existent image - Filters not working for headers that appear more than once

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2018-1360=1


Package List

- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): MozillaThunderbird-60.3.0-74.2 MozillaThunderbird-buildsymbols-60.3.0-74.2 MozillaThunderbird-translations-common-60.3.0-74.2 MozillaThunderbird-translations-other-60.3.0-74.2


References

https://www.suse.com/security/cve/CVE-2017-16541.html https://www.suse.com/security/cve/CVE-2018-12359.html https://www.suse.com/security/cve/CVE-2018-12360.html https://www.suse.com/security/cve/CVE-2018-12361.html https://www.suse.com/security/cve/CVE-2018-12362.html https://www.suse.com/security/cve/CVE-2018-12363.html https://www.suse.com/security/cve/CVE-2018-12364.html https://www.suse.com/security/cve/CVE-2018-12365.html https://www.suse.com/security/cve/CVE-2018-12366.html https://www.suse.com/security/cve/CVE-2018-12367.html https://www.suse.com/security/cve/CVE-2018-12371.html https://www.suse.com/security/cve/CVE-2018-12376.html https://www.suse.com/security/cve/CVE-2018-12377.html https://www.suse.com/security/cve/CVE-2018-12378.html https://www.suse.com/security/cve/CVE-2018-12383.html https://www.suse.com/security/cve/CVE-2018-12385.html https://www.suse.com/security/cve/CVE-2018-12389.html https://www.suse.com/security/cve/CVE-2018-12390.html https://www.suse.com/security/cve/CVE-2018-12391.html https://www.suse.com/security/cve/CVE-2018-12392.html https://www.suse.com/security/cve/CVE-2018-12393.html https://www.suse.com/security/cve/CVE-2018-16541.html https://www.suse.com/security/cve/CVE-2018-5156.html https://www.suse.com/security/cve/CVE-2018-5187.html https://www.suse.com/security/cve/CVE-2018-5188.html https://bugzilla.suse.com/1066489 https://bugzilla.suse.com/1084603 https://bugzilla.suse.com/1098998 https://bugzilla.suse.com/1107343 https://bugzilla.suse.com/1107772 https://bugzilla.suse.com/1109363 https://bugzilla.suse.com/1109379 https://bugzilla.suse.com/1112852--


Severity
Announcement ID: openSUSE-SU-2018:3687-1
Rating: important
Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved