Updated thunderbird packages fix security vulnerabilities
Publication date: 23 Aug 2018Modification date: 23 Aug 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-12019 , CVE-2018-12020
Description
Updated thunderbird package fixes security vulnerabilities: * Spoofing of Email signatures II: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (CVE-2018-12019). * Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated (CVE-2018-12020).
References
SRPMS
6/core
- thunderbird-52.9.1-1.1.mga6