Advisories ยป MGASA-2019-0212

Updated thunderbird packages fix security vulnerability

Publication date: 21 Jul 2019
Modification date: 21 Jul 2019
Type: security
Affected Mageia releases : 6 , 7
CVE: CVE-2019-9811 , CVE-2019-11711 , CVE-2019-11712 , CVE-2019-11713 , CVE-2019-11729 , CVE-2019-11715 , CVE-2019-11717 , CVE-2019-11719 , CVE-2019-11730 , CVE-2019-11709

Description

Sandbox escape via installation of malicious language pack. (CVE-2019-9811)

Script injection within domain through inner window reuse. (CVE-2019-11711)

Cross-origin POST requests can be made with NPAPI plugins by following 308
redirects. (CVE-2019-11712)

Use-after-free with HTTP/2 cached stream. (CVE-2019-11713)

Empty or malformed p256-ECDH public keys may trigger a segmentation fault.
(CVE-2019-11729)

HTML parsing error can contribute to content XSS. (CVE-2019-11715)

Caret character improperly escaped in origins. (CVE-2019-11717)

Out-of-bounds read when importing curve25519 private key. (CVE-2019-11719)

Same-origin policy treats all files in a directory as having the
same-origin. (CVE-2019-11730)

Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8 and Thunderbird
60.8. (CVE-2019-11709)

Enigmail 2.0.12 sets the default keyserver to keys.openpgp.org in order to
mitigate the SKS Keyserver Network Attack.

References

SRPMS

6/core

7/core