You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa Mozilla Thunderbird

Sigurnosni nedostaci programskog paketa Mozilla Thunderbird

openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1905-1
Rating: moderate
References: #1076907 #1085780 #1091376 #1098998 #1100079
#1100081 #1100082
Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
CVE-2018-12366 CVE-2018-12372 CVE-2018-12373
CVE-2018-12374 CVE-2018-5188
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 11 vulnerabilities is now available.

Description:

This update for Mozilla Thunderbird to version 52.9.0 fixes multiple
issues.

Security issues fixed, inherited from the Mozilla common code base (MFSA
2018-16, bsc#1098998):

– CVE-2018-12359: Buffer overflow using computed size of canvas element
– CVE-2018-12360: Use-after-free when using focus()
– CVE-2018-12362: Integer overflow in SSSE3 scaler
– CVE-2018-12363: Use-after-free when appending DOM nodes
– CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
– CVE-2018-12365: Compromised IPC child process can list local filenames
– CVE-2018-12366: Invalid data handling during QCMS transformations
– CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

Security issues fixed that affect e-mail privacy and integrity (including
EFAIL):

– CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails (bsc#1100082)
– CVE-2018-12373: S/MIME plaintext can be leaked through HTML
reply/forward (bsc#1100079)
– CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
enter in form field (bsc#1100081)

The following options are available for added security in certain
scenarios:

– Option for not decrypting subordinate message parts that otherwise might
reveal decryted content to the attacker. Preference
mailnews.p7m_subparts_external needs to be set to true for added
security.

The following upstream changes are included:

– Thunderbird will now prompt to compact IMAP folders even if the account
is online
– Fix various problems when forwarding messages inline when using “simple”
HTML view

The following tracked packaging changes are included:

– correct requires and provides handling (boo#1076907)
– reduce memory footprint with %ix86 at linking time via additional
compiler flags (boo#1091376)
– Build from upstream source archive and verify source signature
(boo#1085780)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-701=1

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-701=1

Package List:

– openSUSE Leap 42.3 (x86_64):

MozillaThunderbird-52.9.0-68.1
MozillaThunderbird-buildsymbols-52.9.0-68.1
MozillaThunderbird-debuginfo-52.9.0-68.1
MozillaThunderbird-debugsource-52.9.0-68.1
MozillaThunderbird-devel-52.9.0-68.1
MozillaThunderbird-translations-common-52.9.0-68.1
MozillaThunderbird-translations-other-52.9.0-68.1

– openSUSE Leap 15.0 (x86_64):

MozillaThunderbird-52.9.0-lp150.3.8.1
MozillaThunderbird-buildsymbols-52.9.0-lp150.3.8.1
MozillaThunderbird-debuginfo-52.9.0-lp150.3.8.1
MozillaThunderbird-debugsource-52.9.0-lp150.3.8.1
MozillaThunderbird-devel-52.9.0-lp150.3.8.1
MozillaThunderbird-translations-common-52.9.0-lp150.3.8.1
MozillaThunderbird-translations-other-52.9.0-lp150.3.8.1

References:

https://www.suse.com/security/cve/CVE-2018-12359.html
https://www.suse.com/security/cve/CVE-2018-12360.html
https://www.suse.com/security/cve/CVE-2018-12362.html
https://www.suse.com/security/cve/CVE-2018-12363.html
https://www.suse.com/security/cve/CVE-2018-12364.html
https://www.suse.com/security/cve/CVE-2018-12365.html
https://www.suse.com/security/cve/CVE-2018-12366.html
https://www.suse.com/security/cve/CVE-2018-12372.html
https://www.suse.com/security/cve/CVE-2018-12373.html
https://www.suse.com/security/cve/CVE-2018-12374.html
https://www.suse.com/security/cve/CVE-2018-5188.html
https://bugzilla.suse.com/1076907
https://bugzilla.suse.com/1085780
https://bugzilla.suse.com/1091376
https://bugzilla.suse.com/1098998
https://bugzilla.suse.com/1100079
https://bugzilla.suse.com/1100081
https://bugzilla.suse.com/1100082


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

openSUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1907-1
Rating: moderate
References: #1076907 #1085780 #1091376 #1098998 #1100079
#1100081 #1100082
Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
CVE-2018-12366 CVE-2018-12372 CVE-2018-12373
CVE-2018-12374 CVE-2018-5188
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes 11 vulnerabilities is now available.

Description:

This update for Mozilla Thunderbird to version 52.9.0 fixes multiple
issues.

Security issues fixed, inherited from the Mozilla common code base (MFSA
2018-16, bsc#1098998):

– CVE-2018-12359: Buffer overflow using computed size of canvas element
– CVE-2018-12360: Use-after-free when using focus()
– CVE-2018-12362: Integer overflow in SSSE3 scaler
– CVE-2018-12363: Use-after-free when appending DOM nodes
– CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
– CVE-2018-12365: Compromised IPC child process can list local filenames
– CVE-2018-12366: Invalid data handling during QCMS transformations
– CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

Security issues fixed that affect e-mail privacy and integrity (including
EFAIL):

– CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails (bsc#1100082)
– CVE-2018-12373: S/MIME plaintext can be leaked through HTML
reply/forward (bsc#1100079)
– CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
enter in form field (bsc#1100081)

The following options are available for added security in certain
scenarios:

– Option for not decrypting subordinate message parts that otherwise might
reveal decryted content to the attacker. Preference
mailnews.p7m_subparts_external needs to be set to true for added
security.

The following upstream changes are included:

– Thunderbird will now prompt to compact IMAP folders even if the account
is online
– Fix various problems when forwarding messages inline when using “simple”
HTML view

The following tracked packaging changes are included:

– correct requires and provides handling (boo#1076907)
– reduce memory footprint with %ix86 at linking time via additional
compiler flags (boo#1091376)
– Build from upstream source archive and verify source signature
(boo#1085780)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2018-701=1

Package List:

– SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):

MozillaThunderbird-52.9.0-65.1
MozillaThunderbird-buildsymbols-52.9.0-65.1
MozillaThunderbird-debuginfo-52.9.0-65.1
MozillaThunderbird-debugsource-52.9.0-65.1
MozillaThunderbird-devel-52.9.0-65.1
MozillaThunderbird-translations-common-52.9.0-65.1
MozillaThunderbird-translations-other-52.9.0-65.1

References:

https://www.suse.com/security/cve/CVE-2018-12359.html
https://www.suse.com/security/cve/CVE-2018-12360.html
https://www.suse.com/security/cve/CVE-2018-12362.html
https://www.suse.com/security/cve/CVE-2018-12363.html
https://www.suse.com/security/cve/CVE-2018-12364.html
https://www.suse.com/security/cve/CVE-2018-12365.html
https://www.suse.com/security/cve/CVE-2018-12366.html
https://www.suse.com/security/cve/CVE-2018-12372.html
https://www.suse.com/security/cve/CVE-2018-12373.html
https://www.suse.com/security/cve/CVE-2018-12374.html
https://www.suse.com/security/cve/CVE-2018-5188.html
https://bugzilla.suse.com/1076907
https://bugzilla.suse.com/1085780
https://bugzilla.suse.com/1091376
https://bugzilla.suse.com/1098998
https://bugzilla.suse.com/1100079
https://bugzilla.suse.com/1100081
https://bugzilla.suse.com/1100082


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa ucode-intel

Otkriveni su sigurnosni nedostaci u programskom paketu ucode-intel za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju zaobilaženje sigurnosnih ograničenja....

Close