Advisories » MGASA-2018-0480

Updated thunderbird packages fix security issues & bugs

Publication date: 15 Dec 2018
Modification date: 15 Dec 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-16541 , CVE-2018-5156 , CVE-2018-5187 , CVE-2018-5188 , CVE-2018-12359 , CVE-2018-12360 , CVE-2018-12361 , CVE-2018-12362 , CVE-2018-12363 , CVE-2018-12364 , CVE-2018-12365 , CVE-2018-12366 , CVE-2018-12367 , CVE-2018-12368 , CVE-2018-12371 , CVE-2018-12376 , CVE-2018-12377 , CVE-2018-12378 , CVE-2018-12379 , CVE-2018-12383 , CVE-2018-12385 , CVE-2018-12389 , CVE-2018-12390 , CVE-2018-12391 , CVE-2018-12392 , CVE-2018-12393

Description

- Buffer overflow using computed size of canvas element. (CVE-2018-12359)

- Use-after-free when using focus(). (CVE-2018-12360)

- Integer overflow in SwizzleData. (CVE-2018-12361)

- Integer overflow in SSSE3 scaler. (CVE-2018-12362)

- Media recorder segmentation fault when track type is changed during
capture. (CVE-2018-5156)

- Use-after-free when appending DOM nodes. (CVE-2018-12363)

- CSRF attacks through 307 redirects and NPAPI plugins. (CVE-2018-12364)

- Compromised IPC child process can list local filenames.
(CVE-2018-12365)

- Integer overflow in Skia library during edge builder allocation.
(CVE-2018-12371)

- Invalid data handling during QCMS transformations. (CVE-2018-12366)

- Timing attack mitigation of PerformanceNavigationTiming.
(CVE-2018-12367)

- No warning when opening executable SettingContent-ms files.
(CVE-2018-12368)

- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Thunderbird 60. (CVE-2018-5187)

- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
ESR 52.9, and Thunderbird 60. (CVE-2018-5188)

- Use-after-free in refresh driver timers. (CVE-2018-12377)

- Use-after-free in IndexedDB. (CVE-2018-12378)

- Out-of-bounds write with malicious MAR file. (CVE-2018-12379)

- Proxy bypass using automount and autofs. (CVE-2017-16541)

- Crash in TransportSecurityInfo due to cached data. (CVE-2018-12385)

- Setting a master password post-Firefox 58 does not delete unencrypted
previously stored passwords. (CVE-2018-12383)

- Memory safety bugs fixed in Firefox 62, Firefox ESR 60.2, and
Thunderbird 60.2.1. (CVE-2018-12376)

- HTTP Live Stream audio data is accessible cross-origin.
(CVE-2018-12391)

- Crash with nested event loops. (CVE-2018-12392)

- Integer overflow during Unicode conversion while loading JavaScript.
(CVE-2018-12393)

- Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3.
(CVE-2018-12389)

- Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and
Thunderbird 60.3. (CVE-2018-12390)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23706
• https://www.thunderbird.net/en-US/thunderbird/60.3.0/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/60.3.2/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/60.3.3/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
• https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
• https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/
• https://www.debian.org/security/2018/dsa-4327
• https://access.redhat.com/errata/RHSA-2018:3458
• https://lists.opensuse.org/opensuse-updates/2018-11/msg00009.html
• https://access.redhat.com/errata/RHSA-2018:3532
• https://www.debian.org/security/2018/dsa-4337
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16541
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5156
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5187
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5188
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12359
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12360
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12361
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12362
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12363
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12364
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12365
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12366
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12367
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12368
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12371
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12376
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12377
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12378
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12379
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12390
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12391
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12392
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12393

SRPMS

6/core

• thunderbird-60.3.3-3.mga6
• thunderbird-l10n-60.3.3-1.mga6