Advisories » MGASA-2018-0354

Updated thunderbird packages fix security vulnerabilities

Publication date: 23 Aug 2018
Modification date: 23 Aug 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-12019 , CVE-2018-12020

Description

Updated thunderbird package fixes security vulnerabilities:

* Spoofing of Email signatures II: The signature verification routine in
  Enigmail interpreted User IDs as status/control messages and did not
  correctly keep track of the status of multiple signatures. This allowed
  remote attackers to spoof arbitrary email signatures via public keys
  containing crafted primary user ids (CVE-2018-12019).

* Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that
  allows remote attackers to spoof arbitrary email signatures via the
  embedded "--filename" parameter in OpenPGP literal data packets. This
  release of Enigmail prevents the exploit for all versions of GnuPG,
  i.e. also if GnuPG is not updated (CVE-2018-12020).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23415
• https://www.enigmail.net/index.php/en/download/changelog
• https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020

SRPMS

6/core

• thunderbird-52.9.1-1.1.mga6