Critical: thunderbird

Issue Overview:

The following CVEs are fixed in the updated thunderbird package:

CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
CVE-2018-5168: Lightweight themes can be installed without user interaction
CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5185: Leaking plaintext through HTML forms

Affected Packages:

thunderbird

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update thunderbird to update your system.

New Packages:

src:  
    thunderbird-52.8.0-1.amzn2.src  
  
x86_64:  
    thunderbird-52.8.0-1.amzn2.x86_64  
    thunderbird-debuginfo-52.8.0-1.amzn2.x86_64  

Additional References

Red Hat: CVE-2018-5150, CVE-2018-5154, CVE-2018-5155, CVE-2018-5159, CVE-2018-5161, CVE-2018-5162, CVE-2018-5168, CVE-2018-5170, CVE-2018-5178, CVE-2018-5183, CVE-2018-5184, CVE-2018-5185

Mitre: CVE-2018-5150, CVE-2018-5154, CVE-2018-5155, CVE-2018-5159, CVE-2018-5161, CVE-2018-5162, CVE-2018-5168, CVE-2018-5170, CVE-2018-5178, CVE-2018-5183, CVE-2018-5184, CVE-2018-5185