Lucene search

K
suseSuseOPENSUSE-SU-2018:1905-1
HistoryJul 07, 2018 - 12:07 a.m.

Security update for Mozilla Thunderbird (moderate)

2018-07-0700:07:52
lists.opensuse.org
64

0.007 Low

EPSS

Percentile

77.1%

This update for Mozilla Thunderbird to version 52.9.0 fixes multiple
issues.

Security issues fixed, inherited from the Mozilla common code base (MFSA
2018-16, bsc#1098998):

  • CVE-2018-12359: Buffer overflow using computed size of canvas element
  • CVE-2018-12360: Use-after-free when using focus()
  • CVE-2018-12362: Integer overflow in SSSE3 scaler
  • CVE-2018-12363: Use-after-free when appending DOM nodes
  • CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
  • CVE-2018-12365: Compromised IPC child process can list local filenames
  • CVE-2018-12366: Invalid data handling during QCMS transformations
  • CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

Security issues fixed that affect e-mail privacy and integrity (including
EFAIL):

  • CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
    emails (bsc#1100082)
  • CVE-2018-12373: S/MIME plaintext can be leaked through HTML
    reply/forward (bsc#1100079)
  • CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
    enter in form field (bsc#1100081)

The following options are available for added security in certain
scenarios:

  • Option for not decrypting subordinate message parts that otherwise might
    reveal decryted content to the attacker. Preference
    mailnews.p7m_subparts_external needs to be set to true for added
    security.

The following upstream changes are included:

  • Thunderbird will now prompt to compact IMAP folders even if the account
    is online
  • Fix various problems when forwarding messages inline when using "simple"
    HTML view

The following tracked packaging changes are included:

  • correct requires and provides handling (boo#1076907)
  • reduce memory footprint with %ix86 at linking time via additional
    compiler flags (boo#1091376)
  • Build from upstream source archive and verify source signature
    (boo#1085780)