Updated thunderbird packages fix security vulnerabilities
Publication date: 14 Mar 2020Modification date: 14 Mar 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-20503 , CVE-2020-6805 , CVE-2020-6806 , CVE-2020-6807 , CVE-2020-6811 , CVE-2020-6812 , CVE-2020-6814
Description
The updated packages fix a security vulnerabilities:
Out of bounds reads in sctp_load_addresses_from_init. (CVE-2019-20503)
Use-after-free when removing data about origins. (CVE-2020-6805)
BodyStream::OnInputStreamReady was missing protections against state
confusion. (CVE-2020-6806)
Use-after-free in cubeb during stream destruction. (CVE-2020-6807)
Devtools' 'Copy as cURL' feature did not fully escape website-controlled
data, potentially leading to command injection. (CVE-2020-6811)
The names of AirPods with personally identifiable information were exposed
to websites with camera or microphone permission. (CVE-2020-6812)
Memory safety bugs fixed in Thunderbird 68.6. (CVE-2020-6814)
References
- https://bugs.mageia.org/show_bug.cgi?id=26334
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/
- https://www.thunderbird.net/en-US/thunderbird/68.6.0/releasenotes/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6805
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6806
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6807
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6811
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6812
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6814
SRPMS
7/core
- thunderbird-68.6.0-1.mga7
- thunderbird-l10n-68.6.0-1.mga7