Search...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Thunderbird vulnerabilities (USN-3793-1)

2018-10-16T00:00:00

ID UBUNTU_USN-3793-1.NASL
Type nessus
Reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2018-10-16T00:00:00

Description

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2018-12376, CVE-2018-12377, CVE-2018-12378)

It was discovered that if a user saved passwords before Thunderbird 58 and then later set a master password, an unencrypted copy of these passwords would still be accessible. A local user could exploit this to obtain sensitive information. (CVE-2018-12383)

A crash was discovered in TransportSecurityInfo used for SSL, which could be triggered by data stored in the local cache directory. An attacker could potentially exploit this in combination with another vulnerability that allowed them to write data to the cache, to execute arbitrary code. (CVE-2018-12385).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3793-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# &lt;http://www.ubuntu.com/usn/&gt;. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118144);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/17");

  script_cve_id("CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385");
  script_xref(name:"USN", value:"3793-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Thunderbird vulnerabilities (USN-3793-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Multiple security issues were discovered in Thunderbird. If a user
were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit these to cause a denial
of service, or execute arbitrary code. (CVE-2018-12376,
CVE-2018-12377, CVE-2018-12378)

It was discovered that if a user saved passwords before Thunderbird 58
and then later set a master password, an unencrypted copy of these
passwords would still be accessible. A local user could exploit this
to obtain sensitive information. (CVE-2018-12383)

A crash was discovered in TransportSecurityInfo used for SSL, which
could be triggered by data stored in the local cache directory. An
attacker could potentially exploit this in combination with another
vulnerability that allowed them to write data to the cache, to execute
arbitrary code. (CVE-2018-12385).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3793-1/"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Update the affected thunderbird package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:thunderbird");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"thunderbird", pkgver:"1:60.2.1+build1-0ubuntu0.14.04.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"thunderbird", pkgver:"1:60.2.1+build1-0ubuntu0.16.04.4")) flag++;
if (ubuntu_check(osver:"18.04", pkgname:"thunderbird", pkgver:"1:60.2.1+build1-0ubuntu0.18.04.2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}

JSON Vulners Source

Initial Source

{"id": "UBUNTU_USN-3793-1.NASL", "bulletinFamily": "scanner", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Thunderbird vulnerabilities (USN-3793-1)", "description": "Multiple security issues were discovered in Thunderbird. If a user\nwere tricked in to opening a specially crafted website in a browsing\ncontext, an attacker could potentially exploit these to cause a denial\nof service, or execute arbitrary code. (CVE-2018-12376,\nCVE-2018-12377, CVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Thunderbird 58\nand then later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383)\n\nA crash was discovered in TransportSecurityInfo used for SSL, which\ncould be triggered by data stored in the local cache directory. An\nattacker could potentially exploit this in combination with another\nvulnerability that allowed them to write data to the cache, to execute\narbitrary code. (CVE-2018-12385).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2018-10-16T00:00:00", "modified": "2018-10-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/118144", "reporter": "Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://usn.ubuntu.com/3793-1/"], "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2018-12376"], "type": "nessus", "lastseen": "2020-09-18T10:57:23", "edition": 20, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310843659", "OPENVAS:1361412562310814071", "OPENVAS:1361412562311220181359", "OPENVAS:1361412562310704327", "OPENVAS:1361412562310704287", "OPENVAS:1361412562310843712", "OPENVAS:1361412562310882970", "OPENVAS:1361412562310843631", "OPENVAS:1361412562310814070", "OPENVAS:1361412562310843635"]}, {"type": "ubuntu", "idList": ["USN-3761-1", "USN-3761-2", "USN-3793-1", "USN-3761-3"]}, {"type": "cve", "idList": ["CVE-2018-12376", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377"]}, {"type": "archlinux", "idList": ["ASA-201810-13"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4327.NASL", "MACOSX_THUNDERBIRD_60_2_1.NASL", "SL_20181031_THUNDERBIRD_ON_SL6_X.NASL", "UBUNTU_USN-3761-1.NASL", "CENTOS_RHSA-2018-3403.NASL", "UBUNTU_USN-3761-3.NASL", "ORACLELINUX_ELSA-2018-3458.NASL", "REDHAT-RHSA-2018-3458.NASL", "REDHAT-RHSA-2018-3403.NASL", "SL_20181105_THUNDERBIRD_ON_SL7_X.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4304-1:3BB50", "DEBIAN:DSA-4327-1:FC18F", "DEBIAN:DSA-4287-1:A5F94"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-2835", "ELSA-2018-3458", "ELSA-2018-3403", "ELSA-2018-2693", "ELSA-2018-2692"]}, {"type": "redhat", "idList": ["RHSA-2018:2692", "RHSA-2018:3458", "RHSA-2018:3403", "RHSA-2018:2835", "RHSA-2018:2834"]}, {"type": "kaspersky", "idList": ["KLA11321", "KLA11336"]}, {"type": "centos", "idList": ["CESA-2018:2835", "CESA-2018:2834", "CESA-2018:2693", "CESA-2018:3403", "CESA-2018:2692"]}, {"type": "threatpost", "idList": ["THREATPOST:4DA8C35FD9DE12E4072829BE75A2282D"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2817-1", "OPENSUSE-SU-2018:2674-1"]}, {"type": "freebsd", "idList": ["C96D416A-EAE7-4D5D-BC84-40DECA9329FB"]}], "modified": "2020-09-18T10:57:23", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-09-18T10:57:23", "rev": 2}, "vulnersScore": 7.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3793-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118144);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"USN\", value:\"3793-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Thunderbird vulnerabilities (USN-3793-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were discovered in Thunderbird. If a user\nwere tricked in to opening a specially crafted website in a browsing\ncontext, an attacker could potentially exploit these to cause a denial\nof service, or execute arbitrary code. (CVE-2018-12376,\nCVE-2018-12377, CVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Thunderbird 58\nand then later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383)\n\nA crash was discovered in TransportSecurityInfo used for SSL, which\ncould be triggered by data stored in the local cache directory. An\nattacker could potentially exploit this in combination with another\nvulnerability that allowed them to write data to the cache, to execute\narbitrary code. (CVE-2018-12385).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3793-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"thunderbird\", pkgver:\"1:60.2.1+build1-0ubuntu0.14.04.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"thunderbird\", pkgver:\"1:60.2.1+build1-0ubuntu0.16.04.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"thunderbird\", pkgver:\"1:60.2.1+build1-0ubuntu0.18.04.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "naslFamily": "Ubuntu Local Security Checks", "pluginID": "118144", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:thunderbird", "cpe:/o:canonical:ubuntu_linux:14.04"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"openvas": [{"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2018-12376"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-10-16T00:00:00", "id": "OPENVAS:1361412562310843659", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843659", "type": "openvas", "title": "Ubuntu Update for thunderbird USN-3793-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3793_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for thunderbird USN-3793-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843659\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-16 06:20:47 +0200 (Tue, 16 Oct 2018)\");\n script_cve_id(\"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for thunderbird USN-3793-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thunderbird'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple security issues were discovered in Thunderbird. If a user were\ntricked in to opening a specially crafted website in a browsing context,\nan attacker could potentially exploit these to cause a denial of service,\nor execute arbitrary code. (CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Thunderbird 58 and\nthen later set a master password, an unencrypted copy of these passwords\nwould still be accessible. A local user could exploit this to obtain\nsensitive information. (CVE-2018-12383)\n\nA crash was discovered in TransportSecurityInfo used for SSL, which could\nbe triggered by data stored in the local cache directory. An attacker\ncould potentially exploit this in combination with another vulnerability\nthat allowed them to write data to the cache, to execute arbitrary code.\n(CVE-2018-12385)\");\n script_tag(name:\"affected\", value:\"thunderbird on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3793-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3793-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"thunderbird\", ver:\"1:60.2.1+build1-0ubuntu0.14.04.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"thunderbird\", ver:\"1:60.2.1+build1-0ubuntu0.18.04.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"thunderbird\", ver:\"1:60.2.1+build1-0ubuntu0.16.04.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "The remote host is missing an update for the ", "modified": "2019-03-08T00:00:00", "published": "2018-11-09T00:00:00", "id": "OPENVAS:1361412562310882970", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882970", "type": "openvas", "title": "CentOS Update for thunderbird CESA-2018:3403 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_3403_thunderbird_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for thunderbird CESA-2018:3403 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882970\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-11-09 06:05:06 +0100 (Fri, 09 Nov 2018)\");\n script_name(\"CentOS Update for thunderbird CESA-2018:3403 centos6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2018:3403\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-November/023078.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'thunderbird'\n package(s) announced via the CESA-2018:3403 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es):\n\n * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n * Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n * Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n * Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n * Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\n * Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n * Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail messages\nand cannot be enabled. They could be exploited another way in Thunderbird,\nfor example, when viewing the remote content of an RSS feed.\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl,\nChristian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl\nTomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song,\nHolger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the original reporters.\");\n\n script_tag(name:\"affected\", value:\"thunderbird on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"thunderbird\", rpm:\"thunderbird~60.2.1~5.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-25T12:02:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2018-12376", "CVE-2018-18499"], "description": "This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.", "modified": "2019-07-25T00:00:00", "published": "2018-10-05T00:00:00", "id": "OPENVAS:1361412562310814070", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814070", "type": "openvas", "title": "Mozilla Thunderbird Security Updates (mfsa_2018-20_2018-25) - Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Thunderbird Security Updates(mfsa_2018-20_2018-25)-Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:thunderbird\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814070\");\n script_version(\"2019-07-25T06:05:02+0000\");\n script_cve_id(\"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-18499\", \"CVE-2018-12379\", \"CVE-2018-12385\",\n \"CVE-2018-12383\", \"CVE-2018-12376\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-25 06:05:02 +0000 (Thu, 25 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-05 11:07:48 +0530 (Fri, 05 Oct 2018)\");\n script_name(\"Mozilla Thunderbird Security Updates (mfsa_2018-20_2018-25) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in refresh driver timers.\n\n - An use-after-free error in IndexedDB.\n\n - A same-origin policy violation using meta refresh and performance.getEntries to steal cross-origin URLs.\n\n - An out-of-bounds write error with malicious MAR file.\n\n - An error related to cached data in the user profile directory.\n\n - An error related to setting of a master password.\n\n - Memory safety bugs.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to disclose sensitive information, cause denial of service and run arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Thunderbird version before 60.2.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Thunderbird version 60.2.1\n or later. For updates refer Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-25\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_thunderbird_detect_win.nasl\");\n script_mandatory_keys(\"Thunderbird/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"60.2.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"60.2.1\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:56:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "Multiple security issues have been found in Thunderbird: Multiple memory\nsafety errors and use-after-frees may lead to the execution of arbitrary\ncode or denial of service.", "modified": "2019-07-04T00:00:00", "published": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310704327", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704327", "type": "openvas", "title": "Debian Security Advisory DSA 4327-1 (thunderbird - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4327-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704327\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\",\n \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_name(\"Debian Security Advisory DSA 4327-1 (thunderbird - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-25 00:00:00 +0200 (Thu, 25 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4327.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"thunderbird on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 1:60.2.1-2~deb9u1.\n\nWe recommend that you upgrade your thunderbird packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/thunderbird\");\n script_tag(name:\"summary\", value:\"Multiple security issues have been found in Thunderbird: Multiple memory\nsafety errors and use-after-frees may lead to the execution of arbitrary\ncode or denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"calendar-google-provider\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-dbg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-dev\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-all\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ast\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-be\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-bg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-bn-bd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ca\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-cs\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-da\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-de\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-dsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-el\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-en-gb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-es-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-es-es\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-et\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-eu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-fi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-fr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-fy-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ga-ie\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-gd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-gl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-he\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-hr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-hsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-hu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-hy-am\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-id\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-is\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-it\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ja\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-kab\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ko\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-lt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-nb-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-nn-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-pa-in\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-pl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-pt-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-pt-pt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-rm\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ro\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ru\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-si\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-sk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-sl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-sq\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-sr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-sv-se\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-ta-lk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-tr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-uk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-vi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-zh-cn\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"icedove-l10n-zh-tw\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-extension\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ast\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-be\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-bg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-bn-bd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ca\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-cs\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-cy\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-da\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-de\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-dsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-el\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-en-gb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-es-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-es-es\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-et\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-eu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-fi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-fr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-fy-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ga-ie\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-gd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-gl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-he\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-hr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-hsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-hu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-hy-am\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-id\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-is\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-it\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ja\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-kab\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ko\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-lt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-nb-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-nn-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-pa-in\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-pl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-pt-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-pt-pt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-rm\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ro\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ru\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-si\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-sk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-sl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-sq\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-sr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-sv-se\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-ta-lk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-tr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-uk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-vi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-zh-cn\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceowl-l10n-zh-tw\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ast\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-be\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-bg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-bn-bd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ca\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-cs\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-cy\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-da\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-de\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-dsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-el\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-en-gb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-es-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-es-es\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-et\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-eu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-fi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-fr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-fy-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ga-ie\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-gd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-gl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-he\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-hr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-hsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-hu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-hy-am\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-id\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-is\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-it\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ja\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-kab\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-kk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ko\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-lt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ms\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-nb-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-nn-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-pa-in\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-pl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-pt-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-pt-pt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-rm\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ro\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ru\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-si\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-sk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-sl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-sq\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-sr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-sv-se\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-ta-lk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-tr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-uk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-vi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-zh-cn\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lightning-l10n-zh-tw\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-dbg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-dev\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-all\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ast\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-be\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-bg\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-bn-bd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ca\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-cs\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-cy\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-da\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-de\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-dsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-el\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-en-gb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-es-ar\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-es-es\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-et\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-eu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-fi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-fr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-fy-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ga-ie\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-gd\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-gl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-he\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-hr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-hsb\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-hu\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-hy-am\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-id\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-is\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-it\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ja\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-kab\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-kk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ko\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-lt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ms\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-nb-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-nl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-nn-no\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-pa-in\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-pl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-pt-br\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-pt-pt\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-rm\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ro\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ru\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-si\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-sk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-sl\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-sq\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-sr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-sv-se\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-ta-lk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-tr\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-uk\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-vi\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-zh-cn\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"thunderbird-l10n-zh-tw\", ver:\"1:60.2.1-2~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-09-07T00:00:00", "id": "OPENVAS:1361412562310843631", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843631", "type": "openvas", "title": "Ubuntu Update for firefox USN-3761-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3761_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for firefox USN-3761-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843631\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-07 07:15:54 +0200 (Fri, 07 Sep 2018)\");\n script_cve_id(\"CVE-2018-12375\", \"CVE-2018-12376\", \"CVE-2018-12377\",\n \"CVE-2018-12378\", \"CVE-2018-12383\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for firefox USN-3761-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\nthe target host.\");\n script_tag(name:\"insight\", value:\"Multiple security issues were discovered in\nFirefox. If a user were tricked in to opening a specially crafted website, an\nattacker could potentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these passwords\nwould still be accessible. A local user could exploit this to obtain\nsensitive information. (CVE-2018-12383)\");\n script_tag(name:\"affected\", value:\"firefox on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3761-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3761-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.14.04.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.18.04.3\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.16.04.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-09-14T00:00:00", "id": "OPENVAS:1361412562310843635", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843635", "type": "openvas", "title": "Ubuntu Update for firefox USN-3761-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3761_2.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for firefox USN-3761-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843635\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-14 07:35:24 +0200 (Fri, 14 Sep 2018)\");\n script_cve_id(\"CVE-2018-12375\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\",\n \"CVE-2018-12383\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for firefox USN-3761-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"insight\", value:\"USN-3761-1 fixed vulnerabilities in Firefox.\nThe update caused several regressions affecting spellchecker dictionaries and\nsearch engines. This update fixes the problems.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMultiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these passwords\nwould still be accessible. A local user could exploit this to obtain\nsensitive information. (CVE-2018-12383)\");\n script_tag(name:\"affected\", value:\"firefox on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3761-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3761-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.14.04.4\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.18.04.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.16.04.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843712", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843712", "type": "openvas", "title": "Ubuntu Update for firefox USN-3761-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3761_3.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for firefox USN-3761-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843712\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-12375\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12383\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:09:55 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for firefox USN-3761-3\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3761-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3761-3/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the USN-3761-3 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"USN-3761-1 fixed vulnerabilities in Firefox. The update caused several\nregressions affecting spellchecker dictionaries and search engines, which\nwere partially fixed by USN-3761-2. This update contains the remaining fix.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMultiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these passwords\nwould still be accessible. A local user could exploit this to obtain\nsensitive information. (CVE-2018-12383)\");\n\n script_tag(name:\"affected\", value:\"firefox on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.14.04.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.18.04.5\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"62.0+build2-0ubuntu0.16.04.5\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-25T12:02:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-18499"], "description": "This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.", "modified": "2019-07-25T00:00:00", "published": "2018-10-05T00:00:00", "id": "OPENVAS:1361412562310814071", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814071", "type": "openvas", "title": "Mozilla Thunderbird Security Updates (mfsa_2018-20_2018-25) - MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Thunderbird Security Updates(mfsa_2018-20_2018-25)-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:thunderbird\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814071\");\n script_version(\"2019-07-25T06:05:02+0000\");\n script_cve_id(\"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-18499\", \"CVE-2018-12379\", \"CVE-2017-16541\",\n \"CVE-2018-12385\", \"CVE-2018-12383\", \"CVE-2018-12376\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-25 06:05:02 +0000 (Thu, 25 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-05 11:08:43 +0530 (Fri, 05 Oct 2018)\");\n script_name(\"Mozilla Thunderbird Security Updates (mfsa_2018-20_2018-25) - MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in refresh driver timers.\n\n - An use-after-free error in IndexedDB.\n\n - A same-origin policy violation using meta refresh and performance.getEntries to steal cross-origin URLs.\n\n - An out-of-bounds write error with malicious MAR file.\n\n - A proxy bypass using automount and autofs.\n\n - An error related to cached data in the user profile directory.\n\n - An error related to setting of a master password.\n\n - Memory safety bugs.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to disclose sensitive information, cause denial of service, run arbitrary code\n and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Thunderbird version before 60.2.1 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Thunderbird version 60.2.1\n or later. For updates refer Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-25\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Thunderbird/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:vers, test_version:\"60.2.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"60.2.1\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:55:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12377", "CVE-2018-12376"], "description": "Several security issues have been found in the Mozilla Firefox web\nbrowser: Multiple memory safety errors and use-after-frees may lead to\nthe execution of arbitrary code or denial of service.\n\nDebian follows the extended support releases (ESR) of Firefox. Support\nfor the 52.x series has ended, so starting with this update we", "modified": "2019-07-04T00:00:00", "published": "2018-09-07T00:00:00", "id": "OPENVAS:1361412562310704287", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704287", "type": "openvas", "title": "Debian Security Advisory DSA 4287-1 (firefox-esr - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4287-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704287\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\");\n script_name(\"Debian Security Advisory DSA 4287-1 (firefox-esr - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-09-07 00:00:00 +0200 (Fri, 07 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4287.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"firefox-esr on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 60.2.0esr-1~deb9u2.\n\nWe recommend that you upgrade your firefox-esr packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/firefox-esr\");\n script_tag(name:\"summary\", value:\"Several security issues have been found in the Mozilla Firefox web\nbrowser: Multiple memory safety errors and use-after-frees may lead to\nthe execution of arbitrary code or denial of service.\n\nDebian follows the extended support releases (ESR) of Firefox. Support\nfor the 52.x series has ended, so starting with this update we're now\nfollowing the 60.x releases.\n\nBetween 52.x and 60.x, Firefox has undergone significant internal\nupdates, which makes it incompatible with a number of extensions. For\nmore information please\nIn addition, the new Firefox packages require Rust to build. A\ncompatible Rust toolchain has been backported to Debian stretch, but is\nnot available for all architectures which previously supported the\npurely C++-based Firefox packages. Thus, the new Firefox packages\ndon't support the armel, armhf, mips, mips64el and mipsel architectures\nat this point.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/firefox/60.0esr/releasenotes/\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ach\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-af\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-all\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-an\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ar\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-as\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ast\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-az\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-be\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bg\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-bd\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-br\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bs\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ca\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cak\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cs\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cy\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-da\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-de\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-dsb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-el\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-gb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-za\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eo\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-ar\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-cl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-es\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-mx\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-et\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eu\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fa\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ff\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fi\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fy-nl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ga-ie\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gd\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gu-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-he\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hi-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hsb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hu\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hy-am\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ia\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-id\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-is\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-it\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ja\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ka\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kab\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-km\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ko\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lij\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lt\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lv\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mai\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ml\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ms\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-my\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nb-no\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ne-np\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nn-no\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-oc\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-or\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pa-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-br\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-pt\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-rm\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ro\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ru\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-si\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-son\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sq\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sv-se\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ta\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-te\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-th\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-tr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ur\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uz\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-vi\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-xh\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-cn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-tw\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-an\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-az\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cak\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-dsb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hsb\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ia\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ka\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kab\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ms\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-my\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ne-np\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-oc\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ur\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uz\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-xh\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"60.2.0esr-1~deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12386", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-12387"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181359", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181359", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2018-1359)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1359\");\n script_version(\"2020-01-23T11:23:13+0000\");\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\", \"CVE-2018-12386\", \"CVE-2018-12387\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:23:13 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:23:13 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2018-1359)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1359\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1359\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'firefox' package(s) announced via the EulerOS-SA-2018-1359 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\nMozilla: Use-after-free in driver timers (CVE-2018-12377)\n\nMozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\nMozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\nMozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\nMozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\nMozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nMozilla: type confusion in JavaScript (CVE-2018-12386)\n\nMozilla: stack out-of-bounds read in Array.prototype.push (CVE-2018-12387)\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~60.2.2~1.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:16", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2018-12376"], "description": "Multiple security issues were discovered in Thunderbird. If a user were \ntricked in to opening a specially crafted website in a browsing context, \nan attacker could potentially exploit these to cause a denial of service, \nor execute arbitrary code. (CVE-2018-12376, CVE-2018-12377, \nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Thunderbird 58 and \nthen later set a master password, an unencrypted copy of these passwords \nwould still be accessible. A local user could exploit this to obtain \nsensitive information. (CVE-2018-12383)\n\nA crash was discovered in TransportSecurityInfo used for SSL, which could \nbe triggered by data stored in the local cache directory. An attacker \ncould potentially exploit this in combination with another vulnerability \nthat allowed them to write data to the cache, to execute arbitrary code. \n(CVE-2018-12385)", "edition": 5, "modified": "2018-10-15T00:00:00", "published": "2018-10-15T00:00:00", "id": "USN-3793-1", "href": "https://ubuntu.com/security/notices/USN-3793-1", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:37:00", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "USN-3761-1 fixed vulnerabilities in Firefox. The update caused several \nregressions affecting spellchecker dictionaries and search engines, which \nwere partially fixed by USN-3761-2. This update contains the remaining fix.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMultiple security issues were discovered in Firefox. If a user were \ntricked in to opening a specially crafted website, an attacker could \npotentially exploit these to cause a denial of service, or execute \narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377, \nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and \nthen later set a master password, an unencrypted copy of these passwords \nwould still be accessible. A local user could exploit this to obtain \nsensitive information. (CVE-2018-12383)", "edition": 1, "modified": "2018-09-17T00:00:00", "published": "2018-09-17T00:00:00", "id": "USN-3761-3", "href": "https://ubuntu.com/security/notices/USN-3761-3", "title": "Firefox regressions", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:43:05", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "USN-3761-1 fixed vulnerabilities in Firefox. The update caused several \nregressions affecting spellchecker dictionaries and search engines. This \nupdate fixes the problems.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMultiple security issues were discovered in Firefox. If a user were \ntricked in to opening a specially crafted website, an attacker could \npotentially exploit these to cause a denial of service, or execute \narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377, \nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and \nthen later set a master password, an unencrypted copy of these passwords \nwould still be accessible. A local user could exploit this to obtain \nsensitive information. (CVE-2018-12383)", "edition": 5, "modified": "2018-09-13T00:00:00", "published": "2018-09-13T00:00:00", "id": "USN-3761-2", "href": "https://ubuntu.com/security/notices/USN-3761-2", "title": "Firefox regressions", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:38:05", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "description": "Multiple security issues were discovered in Firefox. If a user were \ntricked in to opening a specially crafted website, an attacker could \npotentially exploit these to cause a denial of service, or execute \narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377, \nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and \nthen later set a master password, an unencrypted copy of these passwords \nwould still be accessible. A local user could exploit this to obtain \nsensitive information. (CVE-2018-12383)", "edition": 5, "modified": "2018-09-06T00:00:00", "published": "2018-09-06T00:00:00", "id": "USN-3761-1", "href": "https://ubuntu.com/security/notices/USN-3761-1", "title": "Firefox vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:25:33", "description": "A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. This vulnerability affects Thunderbird < 60.2.1, Firefox ESR < 60.2.1, and Firefox < 62.0.2.", "edition": 13, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T13:29:00", "title": "CVE-2018-12385", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12385"], "modified": "2018-12-06T19:03:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12385", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12385", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T13:29:00", "title": "CVE-2018-12376", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12376"], "modified": "2018-12-06T15:50:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12376", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12376", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T13:29:00", "title": "CVE-2018-12377", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12377"], "modified": "2018-12-06T15:50:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12377", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12377", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.", "edition": 14, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-10-18T13:29:00", "title": "CVE-2018-12383", "type": "cve", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12383"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12383", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12383", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T13:29:00", "title": "CVE-2018-12378", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12378"], "modified": "2018-12-06T15:51:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-12378", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12378", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378", "CVE-2018-12379", "CVE-2018-12383", "CVE-2018-12385"], "description": "Arch Linux Security Advisory ASA-201810-13\n==========================================\n\nSeverity: Critical\nDate : 2018-10-18\nCVE-ID : CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379\nCVE-2018-12383 CVE-2018-12385\nPackage : thunderbird\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-782\n\nSummary\n=======\n\nThe package thunderbird before version 60.2.1-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 60.2.1-1.\n\n# pacman -Syu \"thunderbird>=60.2.1-1\"\n\nThe problems have been fixed upstream in version 60.2.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2018-12376 (arbitrary code execution)\n\nSeveral memory safety bugs have been found in Thunderbird versions\nprior to 60.2.1.\n\n- CVE-2018-12377 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in Thunderbird versions\nprior to 60.2.1, which can occur when refresh driver timers are\nrefreshed in some circumstances during shutdown when the timer is\ndeleted while still in use. This results in a potentially exploitable\ncrash.\n\n- CVE-2018-12378 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in Thunderbird versions\nprior to 60.2.1, which can occur when an IndexedDB index is deleted\nwhile still in use by JavaScript code that is providing payload values\nto be stored. This results in a potentially exploitable crash.\n\n- CVE-2018-12379 (arbitrary code execution)\n\nA security issue has been found in Thunderbird versions prior to\n60.2.1. When the Mozilla Updater opens a MAR format file which contains\na very long item filename, an out-of-bounds write can be triggered,\nleading to a potentially exploitable crash. This requires running the\nMozilla Updater manually on the local system with the malicious MAR\nfile in order to occur.\n\n- CVE-2018-12383 (information disclosure)\n\nA security issue has been found in Thunderbird versions prior to\n60.2.1. If a user saved passwords before the move to a new password\nformat and then later set a master password, an unencrypted copy of\nthese passwords is still accessible. This is because the older stored\npassword file was not deleted when the data was copied to a new format.\nThe new master password is added only on the new file. This could allow\nthe exposure of stored password data outside of user expectations.\n\n- CVE-2018-12385 (arbitrary code execution)\n\nA security issue has been found in Thunderbird versions prior to\n60.2.1. A potentially exploitable crash in TransportSecurityInfo used\nfor SSL can be triggered by data stored in the local cache in the user\nprofile directory. This issue is only exploitable in combination with\nanother vulnerability allowing an attacker to write data into the local\ncache or from locally installed malware.\n\nImpact\n======\n\nA remote attacker can access sensitive information or execute arbitrary\ncode on the affected host.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/60424\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12376\nhttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1469309%2C1469914%2C1450989%2C1480092%2C1480517%2C1481093%2C1478575%2C1471953%2C1473161%2C1466991%2C1468738%2C1483120%2C1467363%2C1472925%2C1466577%2C1467889%2C1480521%2C1478849\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12377\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1470260\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12378\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1459383\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12379\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1473113\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12383\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1475775\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12385\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1490585\nhttps://security.archlinux.org/CVE-2018-12376\nhttps://security.archlinux.org/CVE-2018-12377\nhttps://security.archlinux.org/CVE-2018-12378\nhttps://security.archlinux.org/CVE-2018-12379\nhttps://security.archlinux.org/CVE-2018-12383\nhttps://security.archlinux.org/CVE-2018-12385", "modified": "2018-10-18T00:00:00", "published": "2018-10-18T00:00:00", "id": "ASA-201810-13", "href": "https://security.archlinux.org/ASA-201810-13", "type": "archlinux", "title": "[ASA-201810-13] thunderbird: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-05-31T17:07:08", "description": "An update for thunderbird is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-09T00:00:00", "title": "CentOS 6 : thunderbird (CESA-2018:3403)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-11-09T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:thunderbird"], "id": "CENTOS_RHSA-2018-3403.NASL", "href": "https://www.tenable.com/plugins/nessus/118837", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3403 and \n# CentOS Errata and Security Advisory 2018:3403 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118837);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"RHSA\", value:\"2018:3403\");\n\n script_name(english:\"CentOS 6 : thunderbird (CESA-2018:3403)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for thunderbird is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2018-November/023078.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?70bb2967\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-12376\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"thunderbird-60.2.1-5.el6.centos\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:00:10", "description": "From Red Hat Security Advisory 2018:3458 :\n\nAn update for thunderbird is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.", "edition": 14, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-08T00:00:00", "title": "Oracle Linux 7 : thunderbird (ELSA-2018-3458)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-11-08T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:thunderbird", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2018-3458.NASL", "href": "https://www.tenable.com/plugins/nessus/118813", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:3458 and \n# Oracle Linux Security Advisory ELSA-2018-3458 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118813);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"RHSA\", value:\"2018:3458\");\n\n script_name(english:\"Oracle Linux 7 : thunderbird (ELSA-2018-3458)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2018:3458 :\n\nAn update for thunderbird is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-November/008222.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"thunderbird-60.2.1-4.0.1.el7_5\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:39:35", "description": "This update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n - Mozilla: Memory safety bugs fixed in Firefox 62 and\n Firefox ESR 60.2 (CVE-2018-12376)\n\n - Mozilla: Use-after-free in driver timers\n (CVE-2018-12377)\n\n - Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n - Mozilla: Proxy bypass using automount and autofs\n (CVE-2017-16541)\n\n - Mozilla: Out-of-bounds write with malicious MAR file\n (CVE-2018-12379)\n\n - Mozilla: Crash in TransportSecurityInfo due to cached\n data (CVE-2018-12385)\n\n - Mozilla: Setting a master password post-Firefox 58 does\n not delete unencrypted previously stored passwords\n (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-27T00:00:00", "title": "Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20181105)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-11-27T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:thunderbird", "p-cpe:/a:fermilab:scientific_linux:thunderbird-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20181105_THUNDERBIRD_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/119208", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119208);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n\n script_name(english:\"Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20181105)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n - Mozilla: Memory safety bugs fixed in Firefox 62 and\n Firefox ESR 60.2 (CVE-2018-12376)\n\n - Mozilla: Use-after-free in driver timers\n (CVE-2018-12377)\n\n - Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n - Mozilla: Proxy bypass using automount and autofs\n (CVE-2017-16541)\n\n - Mozilla: Out-of-bounds write with malicious MAR file\n (CVE-2018-12379)\n\n - Mozilla: Crash in TransportSecurityInfo due to cached\n data (CVE-2018-12385)\n\n - Mozilla: Setting a master password post-Firefox 58 does\n not delete unencrypted previously stored passwords\n (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=2327\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b1c5dde2\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected thunderbird and / or thunderbird-debuginfo\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:thunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"thunderbird-60.2.1-4.el7_5\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"thunderbird-debuginfo-60.2.1-4.el7_5\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird / thunderbird-debuginfo\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:41:22", "description": "The version of Mozilla Thunderbird installed on the remote macOS host\nis prior to 60.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A use-after-free vulnerability can occur when refresh driver\n timers are refreshed in some circumstances during shutdown when\n the timer is deleted while still in use. This results in a\n potentially exploitable crash. (CVE-2018-12377)\n\n - A use-after-free vulnerability can occur when an IndexedDB index\n is deleted while still in use by JavaScript code that is providing\n payload values to be stored. This results in a potentially\n exploitable crash. (CVE-2018-12378)\n\n - When the Mozilla Updater opens a MAR format file which contains a\n very long item filename, an out-of-bounds write can be triggered,\n leading to a potentially exploitable crash. This requires running\n the Mozilla Updater manually on the local system with the\n malicious MAR file in order to occur. (CVE-2018-12379)\n\n - Browser proxy settings can be bypassed by using the automount\n feature with autofs to create a mount point on the local file\n system. Content can be loaded from this mounted file system\n directly using a file: URI, bypassing configured proxy settings.\n *Note: this issue only affects OS X in default configurations. On\n Linux systems, autofs must be installed for the vulnerability to\n occur and Windows is not affected.* (CVE-2017-16541)\n\n - Mozilla developers and community members Alex Gaynor, Boris\n Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed\n Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren,\n Nika Layzell, Ted Campbell, and Andrei Cristian Petcu reported\n memory safety bugs present in Firefox 61 and Firefox ESR 60.1.\n Some of these bugs showed evidence of memory corruption and we\n presume that with enough effort that some of these could be\n exploited to run arbitrary code. (CVE-2018-12376)\n\n - A potentially exploitable crash in TransportSecurityInfo used for\n SSL can be triggered by data stored in the local cache in the user\n profile directory. This issue is only exploitable in combination\n with another vulnerability allowing an attacker to write data into\n the local cache or from locally installed malware. This issue also\n triggers a non-exploitable startup crash for users switching\n between the Nightly and Release versions of Firefox if the same\n profile is used. (CVE-2018-12385)\n\n - If a user saved passwords before Firefox 58 and then later set a\n master password, an unencrypted copy of these passwords is still\n accessible. This is because the older stored password file was not\n deleted when the data was copied to a new format starting in\n Firefox 58. The new master password is added only on the new file.\n This could allow the exposure of stored password data outside of\n user expectations. (CVE-2018-12383)\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-05T00:00:00", "title": "Mozilla Thunderbird < 60.2.1 Multiple Vulnerabilities (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:thunderbird"], "id": "MACOSX_THUNDERBIRD_60_2_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117938", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2018-25.\n# The text itself is copyright (C) Mozilla Foundation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117938);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2017-16541\",\n \"CVE-2018-12376\",\n \"CVE-2018-12377\",\n \"CVE-2018-12378\",\n \"CVE-2018-12379\",\n \"CVE-2018-12383\",\n \"CVE-2018-12385\"\n );\n\n script_name(english:\"Mozilla Thunderbird < 60.2.1 Multiple Vulnerabilities (macOS)\");\n script_summary(english:\"Checks the version of Thunderbird.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Mozilla Thunderbird installed on the remote macOS host\nis prior to 60.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A use-after-free vulnerability can occur when refresh driver\n timers are refreshed in some circumstances during shutdown when\n the timer is deleted while still in use. This results in a\n potentially exploitable crash. (CVE-2018-12377)\n\n - A use-after-free vulnerability can occur when an IndexedDB index\n is deleted while still in use by JavaScript code that is providing\n payload values to be stored. This results in a potentially\n exploitable crash. (CVE-2018-12378)\n\n - When the Mozilla Updater opens a MAR format file which contains a\n very long item filename, an out-of-bounds write can be triggered,\n leading to a potentially exploitable crash. This requires running\n the Mozilla Updater manually on the local system with the\n malicious MAR file in order to occur. (CVE-2018-12379)\n\n - Browser proxy settings can be bypassed by using the automount\n feature with autofs to create a mount point on the local file\n system. Content can be loaded from this mounted file system\n directly using a file: URI, bypassing configured proxy settings.\n *Note: this issue only affects OS X in default configurations. On\n Linux systems, autofs must be installed for the vulnerability to\n occur and Windows is not affected.* (CVE-2017-16541)\n\n - Mozilla developers and community members Alex Gaynor, Boris\n Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed\n Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren,\n Nika Layzell, Ted Campbell, and Andrei Cristian Petcu reported\n memory safety bugs present in Firefox 61 and Firefox ESR 60.1.\n Some of these bugs showed evidence of memory corruption and we\n presume that with enough effort that some of these could be\n exploited to run arbitrary code. (CVE-2018-12376)\n\n - A potentially exploitable crash in TransportSecurityInfo used for\n SSL can be triggered by data stored in the local cache in the user\n profile directory. This issue is only exploitable in combination\n with another vulnerability allowing an attacker to write data into\n the local cache or from locally installed malware. This issue also\n triggers a non-exploitable startup crash for users switching\n between the Nightly and Release versions of Firefox if the same\n profile is used. (CVE-2018-12385)\n\n - If a user saved passwords before Firefox 58 and then later set a\n master password, an unencrypted copy of these passwords is still\n accessible. This is because the older stored password file was not\n deleted when the data was copied to a new format starting in\n Firefox 58. The new master password is added only on the new file.\n This could allow the exposure of stored password data outside of\n user expectations. (CVE-2018-12383)\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1412081\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eeb4654f\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1450989\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?20fb56d5\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1459383\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ba771ab\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1466577\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec8a52cc\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1466991\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?729f9359\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1467363\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1de4cab5\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1467889\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c5d40321\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1468738\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2e15e66a\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1469309\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71d5c763\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1469914\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0410b02e\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1470260\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c939fbe7\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1471953\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?06cc0e92\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1472925\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?635f0fa0\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1473113\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4376815f\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1473161\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?99b48daf\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1475775\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bc528cf5\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1478575\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fdfa1d66\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1478849\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d0c0acea\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1480092\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?69cce0e2\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1480517\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ae70d802\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1480521\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dd5f0586\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1481093\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d6a368a\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1483120\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?61040df6\");\n # https://bugzilla.mozilla.org/show_bug.cgi?id=1490585\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7fa8df5\");\n # https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d070267e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Thunderbird version 60.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-12378\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:thunderbird\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_thunderbird_installed.nasl\");\n script_require_keys(\"MacOSX/Thunderbird/Installed\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Thunderbird\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nif (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Thunderbird install is in the ESR branch.');\n\nmozilla_check_version(version:version, path:path, product:'thunderbird', esr:FALSE, fix:'60.2.1', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:49:07", "description": "Multiple security issues have been found in Thunderbird: Multiple\nmemory safety errors and use-after-frees may lead to the execution of\narbitrary code or denial of service.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-29T00:00:00", "title": "Debian DSA-4327-1 : thunderbird - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:thunderbird", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4327.NASL", "href": "https://www.tenable.com/plugins/nessus/118473", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4327. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118473);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/04/05 23:25:05\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"DSA\", value:\"4327\");\n\n script_name(english:\"Debian DSA-4327-1 : thunderbird - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple security issues have been found in Thunderbird: Multiple\nmemory safety errors and use-after-frees may lead to the execution of\narbitrary code or denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/thunderbird\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/thunderbird\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4327\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the thunderbird packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 1:60.2.1-2~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"calendar-google-provider\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-dbg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-dev\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-all\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ast\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-be\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-bg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-bn-bd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ca\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-cs\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-da\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-de\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-dsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-el\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-en-gb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-es-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-es-es\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-et\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-eu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-fi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-fr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-fy-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ga-ie\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-gd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-gl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-he\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-hr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-hsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-hu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-hy-am\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-id\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-is\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-it\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ja\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-kab\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ko\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-lt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-nb-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-nn-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-pa-in\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-pl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-pt-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-pt-pt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-rm\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ro\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ru\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-si\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-sk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-sl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-sq\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-sr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-sv-se\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-ta-lk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-tr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-uk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-vi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-zh-cn\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icedove-l10n-zh-tw\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-extension\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ast\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-be\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-bg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-bn-bd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ca\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-cs\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-cy\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-da\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-de\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-dsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-el\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-en-gb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-es-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-es-es\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-et\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-eu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-fi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-fr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-fy-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ga-ie\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-gd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-gl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-he\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-hr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-hsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-hu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-hy-am\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-id\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-is\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-it\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ja\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-kab\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ko\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-lt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-nb-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-nn-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-pa-in\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-pl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-pt-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-pt-pt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-rm\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ro\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ru\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-si\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-sk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-sl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-sq\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-sr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-sv-se\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-ta-lk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-tr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-uk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-vi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-zh-cn\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"iceowl-l10n-zh-tw\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ast\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-be\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-bg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-bn-bd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ca\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-cs\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-cy\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-da\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-de\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-dsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-el\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-en-gb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-es-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-es-es\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-et\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-eu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-fi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-fr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-fy-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ga-ie\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-gd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-gl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-he\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-hr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-hsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-hu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-hy-am\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-id\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-is\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-it\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ja\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-kab\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ko\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-lt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-nb-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-nn-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-pa-in\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-pl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-pt-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-pt-pt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-rm\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ro\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ru\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-si\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-sk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-sl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-sq\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-sr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-sv-se\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-ta-lk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-tr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-uk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-vi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-zh-cn\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"lightning-l10n-zh-tw\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-dbg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-dev\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-all\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ast\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-be\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-bg\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-bn-bd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ca\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-cs\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-da\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-de\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-dsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-el\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-en-gb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-es-ar\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-es-es\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-et\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-eu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-fi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-fr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-fy-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ga-ie\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-gd\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-gl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-he\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-hr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-hsb\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-hu\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-hy-am\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-id\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-is\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-it\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ja\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-kab\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ko\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-lt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-nb-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-nl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-nn-no\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-pa-in\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-pl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-pt-br\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-pt-pt\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-rm\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ro\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ru\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-si\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-sk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-sl\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-sq\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-sr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-sv-se\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-ta-lk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-tr\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-uk\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-vi\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-zh-cn\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"thunderbird-l10n-zh-tw\", reference:\"1:60.2.1-2~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:20:01", "description": "An update for thunderbird is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-06T00:00:00", "title": "RHEL 7 : thunderbird (RHSA-2018:3458)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-11-06T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:thunderbird", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:thunderbird-debuginfo", "cpe:/o:redhat:enterprise_linux:7.6"], "id": "REDHAT-RHSA-2018-3458.NASL", "href": "https://www.tenable.com/plugins/nessus/118744", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3458. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118744);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"RHSA\", value:\"2018:3458\");\n\n script_name(english:\"RHEL 7 : thunderbird (RHSA-2018:3458)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for thunderbird is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3458\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-16541\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12385\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected thunderbird and / or thunderbird-debuginfo\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3458\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"thunderbird-60.2.1-4.el7_5\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"thunderbird-debuginfo-60.2.1-4.el7_5\", allowmaj:TRUE)) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird / thunderbird-debuginfo\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:39:35", "description": "This update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n - Mozilla: Memory safety bugs fixed in Firefox 62 and\n Firefox ESR 60.2 (CVE-2018-12376)\n\n - Mozilla: Use-after-free in driver timers\n (CVE-2018-12377)\n\n - Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n - Mozilla: Proxy bypass using automount and autofs\n (CVE-2017-16541)\n\n - Mozilla: Out-of-bounds write with malicious MAR file\n (CVE-2018-12379)\n\n - Mozilla: Crash in TransportSecurityInfo due to cached\n data (CVE-2018-12385)\n\n - Mozilla: Setting a master password post-Firefox 58 does\n not delete unencrypted previously stored passwords\n (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-01T00:00:00", "title": "Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20181031)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-11-01T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:thunderbird", "p-cpe:/a:fermilab:scientific_linux:thunderbird-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20181031_THUNDERBIRD_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/118585", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118585);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n\n script_name(english:\"Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20181031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n - Mozilla: Memory safety bugs fixed in Firefox 62 and\n Firefox ESR 60.2 (CVE-2018-12376)\n\n - Mozilla: Use-after-free in driver timers\n (CVE-2018-12377)\n\n - Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n - Mozilla: Proxy bypass using automount and autofs\n (CVE-2017-16541)\n\n - Mozilla: Out-of-bounds write with malicious MAR file\n (CVE-2018-12379)\n\n - Mozilla: Crash in TransportSecurityInfo due to cached\n data (CVE-2018-12385)\n\n - Mozilla: Setting a master password post-Firefox 58 does\n not delete unencrypted previously stored passwords\n (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1810&L=scientific-linux-errata&F=&S=&P=13678\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a52904dc\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected thunderbird and / or thunderbird-debuginfo\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:thunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"thunderbird-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"SL6\", reference:\"thunderbird-debuginfo-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird / thunderbird-debuginfo\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:19:57", "description": "An update for thunderbird is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-31T00:00:00", "title": "RHEL 6 : thunderbird (RHSA-2018:3403)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-10-31T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:thunderbird", "p-cpe:/a:redhat:enterprise_linux:thunderbird-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-3403.NASL", "href": "https://www.tenable.com/plugins/nessus/118552", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3403. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118552);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-16541\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12379\", \"CVE-2018-12383\", \"CVE-2018-12385\");\n script_xref(name:\"RHSA\", value:\"2018:3403\");\n\n script_name(english:\"RHEL 6 : thunderbird (RHSA-2018:3403)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for thunderbird is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es) :\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n(CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file\n(CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data\n(CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete\nunencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a\nspecially crafted HTML mail, as JavaScript is disabled for mail\nmessages and cannot be enabled. They could be exploited another way in\nThunderbird, for example, when viewing the remote content of an RSS\nfeed.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these\nissues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph\nDiehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan\nTara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils,\nZhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the\noriginal reporters.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3403\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-16541\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12385\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected thunderbird and / or thunderbird-debuginfo\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:thunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3403\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"thunderbird-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"thunderbird-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"thunderbird-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"thunderbird-debuginfo-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"thunderbird-debuginfo-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"thunderbird-debuginfo-60.2.1-5.el6\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird / thunderbird-debuginfo\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:49:15", "description": "Multiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-07T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : firefox vulnerabilities (USN-3761-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:firefox", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3761-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117357", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3761-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117357);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/18 12:31:48\");\n\n script_cve_id(\"CVE-2018-12375\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12383\");\n script_xref(name:\"USN\", value:\"3761-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : firefox vulnerabilities (USN-3761-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3761-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.14.04.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.16.04.3\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.18.04.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T10:56:45", "description": "USN-3761-1 fixed vulnerabilities in Firefox. The update caused several\nregressions affecting spellchecker dictionaries and search engines.\nThis update fixes the problems.\n\nWe apologize for the inconvenience.\n\nMultiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-14T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Firefox regressions (USN-3761-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12377", "CVE-2018-12375", "CVE-2018-12376"], "modified": "2018-09-14T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:firefox", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3761-2.NASL", "href": "https://www.tenable.com/plugins/nessus/117496", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3761-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117496);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-12375\", \"CVE-2018-12376\", \"CVE-2018-12377\", \"CVE-2018-12378\", \"CVE-2018-12383\");\n script_xref(name:\"USN\", value:\"3761-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Firefox regressions (USN-3761-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"USN-3761-1 fixed vulnerabilities in Firefox. The update caused several\nregressions affecting spellchecker dictionaries and search engines.\nThis update fixes the problems.\n\nWe apologize for the inconvenience.\n\nMultiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, or execute\narbitrary code. (CVE-2018-12375, CVE-2018-12376, CVE-2018-12377,\nCVE-2018-12378)\n\nIt was discovered that if a user saved passwords before Firefox 58 and\nthen later set a master password, an unencrypted copy of these\npasswords would still be accessible. A local user could exploit this\nto obtain sensitive information. (CVE-2018-12383).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3761-2/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.14.04.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.16.04.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"firefox\", pkgver:\"62.0+build2-0ubuntu0.18.04.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-10-17T13:34:34", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4327-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 25, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : thunderbird\nCVE ID : CVE-2017-16541 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 \n CVE-2018-12379 CVE-2018-12383 CVE-2018-12385\n\nMultiple security issues have been found in Thunderbird: Multiple memory\nsafety errors and use-after-frees may lead to the execution of arbitrary\ncode or denial of service.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:60.2.1-2~deb9u1.\n\nWe recommend that you upgrade your thunderbird packages.\n\nFor the detailed security status of thunderbird please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/thunderbird\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 14, "modified": "2018-10-25T21:25:19", "published": "2018-10-25T21:25:19", "id": "DEBIAN:DSA-4327-1:FC18F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00258.html", "title": "[SECURITY] [DSA 4327-1] thunderbird security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-11T01:24:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12377", "CVE-2018-12376"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4287-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 07, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : firefox-esr\nCVE ID : CVE-2018-12376 CVE-2018-12377 CVE-2018-12378\n\nSeveral security issues have been found in the Mozilla Firefox web\nbrowser: Multiple memory safety errors and use-after-frees may lead to\nthe execution of arbitrary code or denial of service.\n\nDebian follows the extended support releases (ESR) of Firefox. Support\nfor the 52.x series has ended, so starting with this update we're now\nfollowing the 60.x releases.\n\nBetween 52.x and 60.x, Firefox has undergone significant internal\nupdates, which makes it incompatible with a number of extensions. For\nmore information please refer to\nhttps://www.mozilla.org/en-US/firefox/60.0esr/releasenotes/ \n\nIn addition, the new Firefox packages require Rust to build. A\ncompatible Rust toolchain has been backported to Debian stretch, but is\nnot available for all architectures which previously supported the\npurely C++-based Firefox packages. Thus, the new Firefox packages\ndon't support the armel, armhf, mips, mips64el and mipsel architectures\nat this point.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 60.2.0esr-1~deb9u2.\n\nWe recommend that you upgrade your firefox-esr packages.\n\nFor the detailed security status of firefox-esr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/firefox-esr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 22, "modified": "2018-09-07T21:20:22", "published": "2018-09-07T21:20:22", "id": "DEBIAN:DSA-4287-1:A5F94", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00217.html", "title": "[SECURITY] [DSA 4287-1] firefox-esr security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-11T01:23:50", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4304-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 23, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : firefox-esr\nCVE ID : CVE-2018-12383 CVE-2018-12385\n\nTwo security issues have been found in the Mozilla Firefox web browser,\nwhich could potentially result in the execution of arbitrary code and\nlocal information disclosure.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 60.2.1esr-1~deb9u1.\n\nWe recommend that you upgrade your firefox-esr packages.\n\nFor the detailed security status of firefox-esr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/firefox-esr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 23, "modified": "2018-09-23T18:28:18", "published": "2018-09-23T18:28:18", "id": "DEBIAN:DSA-4304-1:3BB50", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00235.html", "title": "[SECURITY] [DSA 4304-1] firefox-esr security update", "type": "debian", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:25", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "[60.2.1-4.0.1]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[60.2.1-4]\n- Fixing minor issues\n[60.2.1-3]\n- Reverting deleting of key3db\n[60.2.1-2]\n- Update to 60.2.1\n- Added fix for rhbz#1546988\n[60.0-1]\n- Rebase to version 60", "edition": 4, "modified": "2018-11-07T00:00:00", "published": "2018-11-07T00:00:00", "id": "ELSA-2018-3458", "href": "http://linux.oracle.com/errata/ELSA-2018-3458.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:09", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "[60.2.1-5.0.1]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[60.2.1-5]\n- Fixing minor issues\n[60.2.1-3]\n- Reverting deleting of key3db\n[60.2.1-2]\n- Update to 60.2.1\n- Added fix for rhbz#1546988\n[60.0-1]\n- Rebase to version 60", "edition": 3, "modified": "2018-11-19T00:00:00", "published": "2018-11-19T00:00:00", "id": "ELSA-2018-3403", "href": "http://linux.oracle.com/errata/ELSA-2018-3403.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "[60.2.1-1.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[60.2.1-1]\n- Update to 60.2.1 ESR", "edition": 5, "modified": "2018-09-27T00:00:00", "published": "2018-09-27T00:00:00", "id": "ELSA-2018-2835", "href": "http://linux.oracle.com/errata/ELSA-2018-2835.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "[60.2.0-1.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6", "edition": 4, "modified": "2018-09-12T00:00:00", "published": "2018-09-12T00:00:00", "id": "ELSA-2018-2692", "href": "http://linux.oracle.com/errata/ELSA-2018-2692.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-09-25T02:10:06", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2017-5428", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "[60.2.0-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "edition": 1, "modified": "2018-09-24T00:00:00", "published": "2018-09-24T00:00:00", "id": "ELSA-2018-2693", "href": "http://linux.oracle.com/errata/ELSA-2018-2693.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2020-07-01T07:53:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16541", "CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378", "CVE-2018-12379", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-18499"], "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a specially crafted HTML mail, as JavaScript is disabled for mail messages and cannot be enabled. They could be exploited another way in Thunderbird, for example, when viewing the remote content of an RSS feed.\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the original reporters.", "modified": "2020-07-01T11:05:50", "published": "2018-10-30T18:55:51", "id": "RHSA-2018:3403", "href": "https://access.redhat.com/errata/RHSA-2018:3403", "type": "redhat", "title": "(RHSA-2018:3403) Important: thunderbird security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T07:54:34", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16541", "CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378", "CVE-2018-12379", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-18499"], "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a specially crafted HTML mail, as JavaScript is disabled for mail messages and cannot be enabled. They could be exploited another way in Thunderbird, for example, when viewing the remote content of an RSS feed.\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the original reporters.", "modified": "2020-07-01T11:05:49", "published": "2018-11-05T14:56:07", "id": "RHSA-2018:3458", "href": "https://access.redhat.com/errata/RHSA-2018:3458", "type": "redhat", "title": "(RHSA-2018:3458) Important: thunderbird security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:04", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Philipp and Jurgen Gaeremyn as the original reporters.", "modified": "2018-09-27T23:55:04", "published": "2018-09-27T23:50:47", "id": "RHSA-2018:2835", "href": "https://access.redhat.com/errata/RHSA-2018:2835", "type": "redhat", "title": "(RHSA-2018:2835) Moderate: firefox security update", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Philipp and Jurgen Gaeremyn as the original reporters.", "modified": "2018-09-27T23:43:54", "published": "2018-09-27T23:41:11", "id": "RHSA-2018:2834", "href": "https://access.redhat.com/errata/RHSA-2018:2834", "type": "redhat", "title": "(RHSA-2018:2834) Moderate: firefox security update", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T07:53:37", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16541", "CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378", "CVE-2018-12379", "CVE-2018-18499"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, and Holger Fuhrmannek as the original reporters.", "modified": "2020-07-01T11:05:48", "published": "2018-09-12T13:58:54", "id": "RHSA-2018:2692", "href": "https://access.redhat.com/errata/RHSA-2018:2692", "type": "redhat", "title": "(RHSA-2018:2692) Critical: firefox security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:53:17", "bulletinFamily": "info", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-18499"], "description": "### *Detect date*:\n10/04/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities were found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code. Below is a complete list of vulnerabilities:\n\n### *Affected products*:\nMozilla Thunderbird earlier than 60.2.1\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Thunderbird](<https://www.mozilla.org/en-US/thunderbird/>)\n\n### *Original advisories*:\n[Mozilla Foundation Security Advisory 2018-25](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Thunderbird](<https://threats.kaspersky.com/en/product/Mozilla-Thunderbird/>)\n\n### *CVE-IDS*:\n[CVE-2018-12377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12377>)0.0Unknown \n[CVE-2018-12378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12378>)0.0Unknown \n[CVE-2018-12379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12379>)0.0Unknown \n[CVE-2017-16541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16541>)0.0Unknown \n[CVE-2018-12383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383>)0.0Unknown \n[CVE-2018-12376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12376>)0.0Unknown \n[CVE-2018-12385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385>)0.0Unknown \n[CVE-2018-18499](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18499>)0.0Unknown", "edition": 24, "modified": "2020-05-22T00:00:00", "published": "2018-10-04T00:00:00", "id": "KLA11336", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11336", "title": "\r KLA11336Multiple vulnerabilities in Mozilla Thunderbird ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T12:00:37", "bulletinFamily": "info", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "### *Detect date*:\n09/21/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities were found in Mozilla Firefox and Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nMozilla Firefox earlier than 62.0.2 \nMozilla Firefox ESR 60 earlier than 60.2.1\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Firefox ESR](<https://www.mozilla.org/en-US/firefox/organizations/all/>) \n[Download Mozilla Firefox](<https://www.mozilla.org/en-US/firefox/new/>)\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Mozilla Firefox](<https://threats.kaspersky.com/en/product/Mozilla-Firefox/>)\n\n### *CVE-IDS*:\n[CVE-2018-12383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383>)0.0Unknown \n[CVE-2018-12385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385>)0.0Unknown", "edition": 25, "modified": "2020-05-22T00:00:00", "published": "2018-09-21T00:00:00", "id": "KLA11321", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11321", "title": "\r KLA11321Multiple vulnerabilities in Mozilla Firefox and Mozilla Firefox ESR ", "type": "kaspersky", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-12-08T03:34:45", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12385", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-18499"], "description": "**CentOS Errata and Security Advisory** CESA-2018:3403\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.2.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nNote: All of the above issues cannot be exploited in Thunderbird by a specially crafted HTML mail, as JavaScript is disabled for mail messages and cannot be enabled. They could be exploited another way in Thunderbird, for example, when viewing the remote content of an RSS feed.\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, Holger Fuhrmannek, Philipp, and Jurgen Gaeremyn as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-November/035116.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\n", "edition": 6, "modified": "2018-11-05T18:57:41", "published": "2018-11-05T18:57:41", "id": "CESA-2018:3403", "href": "http://lists.centos.org/pipermail/centos-announce/2018-November/035116.html", "title": "thunderbird security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:36:33", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "**CentOS Errata and Security Advisory** CESA-2018:2834\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Philipp and Jurgen Gaeremyn as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-September/035064.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 6, "modified": "2018-09-28T16:30:58", "published": "2018-09-28T16:30:58", "id": "CESA-2018:2834", "href": "http://lists.centos.org/pipermail/centos-announce/2018-September/035064.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:35:18", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "**CentOS Errata and Security Advisory** CESA-2018:2835\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Crash in TransportSecurityInfo due to cached data (CVE-2018-12385)\n\n* Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords (CVE-2018-12383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Philipp and Jurgen Gaeremyn as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-September/035066.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 6, "modified": "2018-09-28T16:44:12", "published": "2018-09-28T16:44:12", "id": "CESA-2018:2835", "href": "http://lists.centos.org/pipermail/centos-announce/2018-September/035066.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:34:13", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-18499"], "description": "**CentOS Errata and Security Advisory** CESA-2018:2692\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, and Holger Fuhrmannek as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-September/035060.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 7, "modified": "2018-09-13T16:39:24", "published": "2018-09-13T16:39:24", "id": "CESA-2018:2692", "href": "http://lists.centos.org/pipermail/centos-announce/2018-September/035060.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:34:56", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376", "CVE-2018-18499"], "description": "**CentOS Errata and Security Advisory** CESA-2018:2693\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.2.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376)\n\n* Mozilla: Use-after-free in driver timers (CVE-2018-12377)\n\n* Mozilla: Use-after-free in IndexedDB (CVE-2018-12378)\n\n* Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541)\n\n* Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-12379)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, Nils, Zhanjia Song, and Holger Fuhrmannek as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-September/035058.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 7, "modified": "2018-09-13T16:33:00", "published": "2018-09-13T16:33:00", "id": "CESA-2018:2693", "href": "http://lists.centos.org/pipermail/centos-announce/2018-September/035058.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-09-05T08:21:30", "bulletinFamily": "info", "cvelist": ["CVE-2018-12375", "CVE-2018-12376", "CVE-2018-12377", "CVE-2018-12378"], "description": "Mozilla released nine fixes in its Wednesday launch of Firefox 62 for Windows, Mac and Android \u2013 including one for a critical glitch that could enable attackers to run arbitrary code.\n\nOverall, the latest version of the Firefox browser included fixes for the critical issue, three high-severity flaws, two moderate problems and three low-severity vulnerabilities. Topping the list is a memory safety bug ([CVE-2018-12376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12376>)), discovered by a number of Mozilla developers and community members.\n\nA critical impact bug means the vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing, according to Mozilla. The memory safety problem, which exists in Firefox 61 and Firefox ESR 60, meets these criteria, researchers said. Mozilla didn\u2019t release further details, but it did assign one CVE to represent multiple similar issues.\n\n\u201cSome of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,\u201d according to a Mozilla [advisory](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/>) posted on Wednesday,\n\nIn addition to the memory safety bug(s), Mozilla also fixed three high-severity vulnerabilities in its latest update.\n\nThese include a use-after-free glitch in refresh driver timers ([CVE-2018-12377](<https://nvd.nist.gov/vuln/detail/CVE-2018-12377>)), which power browser-page refreshes. The bug exists when refresh driver timers are refreshed during shutdown. When the timer is deleted while still in use, the result is a potentially exploitable crash, the advisory said.\n\nAnother high-severity bug ([CVE-2018-12378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12378>)) is a use-after-free vulnerability that occurs when an IndexedDB index (a low-level API for client-side storage of significant amounts of structured data) is deleted while still in use by JavaScript code providing payload values. \u201cThis results in a potentially exploitable crash,\u201d the advisory said.\n\nMozilla developers and community members also found a memory-safety bug ([CVE-2018-12375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12375>)) in Firefox 61, which showed evidence of memory corruption and could be exploited to run arbitrary code, according to the advisory.\n\nThe moderate and low-severity fixes that were deployed in Firefox 62 include patches for an out-of-bounds write flaw (triggered when the Mozilla Updater opens a MAR format file that contains a very long item filename); and a proxy bypass glitch in the browser\u2019s proxy settings.\n\nFirefox 62 for desktop is available for [download](<https://www.mozilla.org/en-US/firefox/62.0/releasenotes/>) on Mozilla\u2019s website. Its release follows another browser update this week: Google [has also released](<https://threatpost.com/google-rolls-out-40-fixes-with-chrome-69/137210/>) the latest version of Chrome, with 40 security fixes.\n", "modified": "2018-09-06T14:34:28", "published": "2018-09-06T14:34:28", "id": "THREATPOST:4DA8C35FD9DE12E4072829BE75A2282D", "href": "https://threatpost.com/mozillas-release-of-firefox-62-packs-nine-fixes/137230/", "type": "threatpost", "title": "Mozilla Patches Critical Code Execution Bug in Firefox 62", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2018-09-08T17:50:19", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12378", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "description": "This update to Mozilla Firefox 60.2.0esr fixes the following issues:\n\n Security issues fixed (MFSA 2018-21, boo#1107343):\n\n - CVE-2018-12377: Use-after-free in refresh driver timers\n - CVE-2018-12378: Use-after-free in IndexedDB\n - CVE-2017-16541: Proxy bypass using automount and autofs (boo#1066489)\n - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR\n 60.2\n\n", "edition": 1, "modified": "2018-09-08T15:07:29", "published": "2018-09-08T15:07:29", "id": "OPENSUSE-SU-2018:2674-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html", "title": "Security update for MozillaFirefox (important)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-24T14:08:44", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12383", "CVE-2018-12385"], "description": "This update for Mozilla Firefox to version 60.2.1esr fixes the following\n issues:\n\n Security issues fixed (MFSA 2018-23):\n\n - CVE-2018-12385: Crash in TransportSecurityInfo due to cached data\n (boo#1109363)\n - CVE-2018-12383: Setting a master password did not delete unencrypted\n previously stored passwords (boo#1107343)\n\n Bugx fixed:\n\n - Fixed a startup crash affecting users migrating from older ESR releases\n\n", "edition": 1, "modified": "2018-09-24T12:16:46", "published": "2018-09-24T12:16:46", "id": "OPENSUSE-SU-2018:2817-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00065.html", "title": "Security update for MozillaFirefox (moderate)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:51", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12379", "CVE-2018-12381", "CVE-2018-12378", "CVE-2018-12383", "CVE-2018-12382", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12375", "CVE-2018-12376"], "description": "\nMozilla Foundation reports:\n\nCVE-2018-12377: Use-after-free in refresh driver timers\nCVE-2018-12378: Use-after-free in IndexedDB\nCVE-2018-12379: Out-of-bounds write with malicious MAR file\nCVE-2017-16541: Proxy bypass using automount and autofs\nCVE-2018-12381: Dragging and dropping Outlook email message results in page navigation\nCVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android\nCVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords\nCVE-2018-12375: Memory safety bugs fixed in Firefox 62\nCVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2\n\n", "edition": 4, "modified": "2018-09-15T00:00:00", "published": "2018-09-05T00:00:00", "id": "C96D416A-EAE7-4D5D-BC84-40DECA9329FB", "href": "https://vuxml.freebsd.org/freebsd/c96d416a-eae7-4d5d-bc84-40deca9329fb.html", "title": "mozilla -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}