ESB-2019.0457 - [SUSE] Mozilla Thunderbird: Multiple vulnerabilities 2019-02-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0457
       SUSE Security Update: Security update for MozillaThunderbird
                             13 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Thunderbird
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Increased Privileges     -- Remote with User Interaction
                   Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-18505 CVE-2018-18501 CVE-2018-18500
                   CVE-2018-18498 CVE-2018-18494 CVE-2018-18493
                   CVE-2018-18492 CVE-2018-17466 CVE-2018-12405
                   CVE-2016-5824  

Reference:         ASB-2019.0043
                   ASB-2019.0042
                   ESB-2019.0317
                   ESB-2019.0267

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20190338-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0338-1
Rating:             important
References:         #1119105 #1122983 
Cross-References:   CVE-2016-5824 CVE-2018-12405 CVE-2018-17466
                    CVE-2018-18492 CVE-2018-18493 CVE-2018-18494
                    CVE-2018-18498 CVE-2018-18500 CVE-2018-18501
                    CVE-2018-18505
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 15
______________________________________________________________________________

   An update that fixes 10 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird to version 60.5 fixes the following
   issues:

   Security vulnerabilities addressed (MSFA 2019-03 MSFA 2018-31 bsc#1122983
   bsc#1119105):

   * CVE-2018-18500: Use-after-free parsing HTML5 stream
   * CVE-2018-18505: Privilege escalation through IPC channel messages
   * CVE-2016-5824 DoS (use-after-free) via a crafted ics file
   * CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR
     60.5
   * CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library
     with TextureStorage11
   * CVE-2018-18492: Use-after-free with select element
   * CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia
   * CVE-2018-18494: Same-origin policy violation using location attribute
     and performance.getEntries to steal cross-origin URLs
   * CVE-2018-18498: Integer overflow when calculating buffer sizes for images
   * CVE-2018-12405: Memory safety bugs fixed in Firefox 64, 60.4, and
     Thunderbird 60.4

   Other bug fixes and changes:

   * FileLink provider WeTransfer to upload large attachments
   * Thunderbird now allows the addition of OpenSearch search engines from a
     local XML file using a minimal user interface: [+] button to select a
     file an add, [-] to remove.
   * More search engines: Google and DuckDuckGo available by default in some
     locales
   * During account creation, Thunderbird will now detect servers using the
     Microsoft Exchange protocol. It will offer the installation of a 3rd
     party add-on (Owl) which supports that protocol.
   * Thunderbird now compatible with other WebExtension-based FileLink
     add-ons like the Dropbox add-on
   * New WebExtensions FileLink API to facilitate add-ons
   * Fix decoding problems for messages with less common charsets (cp932,
     cp936)
   * New messages in the drafts folder (and other special or virtual folders)
     will no longer be included in the new messages notification
   * Thunderbird 60 will migrate security databases (key3.db, cert8.db to
     key4.db, cert9.db).
   * Address book search and auto-complete slowness
   * Plain text markup with * for bold, / for italics, _ for underline and |
     for code did not work when the enclosed text contained non-ASCII
     characters
   * While composing a message, a link not removed when link location was
     removed in the link properties panel
   * Encoding problems when exporting address books or messages using the
     system charset. Messages are now always exported using the UTF-8 encoding
   * If the "Date" header of a message was invalid, Jan 1970 or Dec 1969 was
     displayed. Now using date from "Received" header instead.
   * Body search/filtering didn't reliably ignore content of tags
   * Inappropriate warning "Thunderbird prevented the site
     (addons.thunderbird.net) from asking you to install software on your
     computer" when installing add-ons
   * Incorrect display of correspondents column since own email address was
     not always detected
   * Spurious 
 (encoded newline) inserted into drafts and sent email
   * Double-clicking on a word in the Write window sometimes launched the
     Advanced Property Editor or Link Properties dialog
   * Fixe Cookie removal
   * "Download rest of message" was not working if global inbox was used
   * Fix Encoding problems for users (especially in Poland) when a file was
     sent via a folder using "Sent to > Mail recipient" due to a problem in
     the Thunderbird MAPI interface
   * According to RFC 4616 and RFC 5721, passwords containing non-ASCII
     characters are encoded using UTF-8 which can lead to problems with
     non-compliant providers, for example office365.com. The SMTP LOGIN and
     POP3 USER/PASS authentication methods are now using a Latin-1 encoding
     again to work around this issue
   * Fix shutdown crash/hang after entering an empty IMAP password


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 15:

      zypper in -t patch SUSE-SLE-Product-WE-15-2019-338=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 15 (x86_64):

      MozillaThunderbird-60.5.0-3.20.2
      MozillaThunderbird-debuginfo-60.5.0-3.20.2
      MozillaThunderbird-debugsource-60.5.0-3.20.2
      MozillaThunderbird-translations-common-60.5.0-3.20.2
      MozillaThunderbird-translations-other-60.5.0-3.20.2


References:

   https://www.suse.com/security/cve/CVE-2016-5824.html
   https://www.suse.com/security/cve/CVE-2018-12405.html
   https://www.suse.com/security/cve/CVE-2018-17466.html
   https://www.suse.com/security/cve/CVE-2018-18492.html
   https://www.suse.com/security/cve/CVE-2018-18493.html
   https://www.suse.com/security/cve/CVE-2018-18494.html
   https://www.suse.com/security/cve/CVE-2018-18498.html
   https://www.suse.com/security/cve/CVE-2018-18500.html
   https://www.suse.com/security/cve/CVE-2018-18501.html
   https://www.suse.com/security/cve/CVE-2018-18505.html
   https://bugzilla.suse.com/1119105
   https://bugzilla.suse.com/1122983

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXGO8qWaOgq3Tt24GAQhHGg//TDwdj1SaOU2yIuleQC7J7rbaTUBQiIcw
lT5tHMqm3mZh6QI7tt7gontBg5USS3eoewGTr2lOiIw9aQmSxPyMMMQOK/UX/dtg
W+FBkfXKGqoU3etIxZKSoNiSpxY1jVKkMgikBSwTUN4x0vw00NFy6fDm4WkJrbDY
YvjlDfRrzNoZpyVe/Qk25WiJarptfUEdi+Ok3ZEmk/MmbttGWyi6OM0AupHZF2k0
mYqzaPARQF3HMSD4qvgxZiI1YA7vXMObB+wn0it/n9kvuRGr1aelFZ7gQzMB3E7H
LFY1tUw034/tlcPhTuDoFI0m/caklLo/fZ3xBXQxtIuILAzymm0mYqG7ZPGTU7vE
RJOnrECvGF0SCDP8HgAqLM9I4Y37DCVT4qMjZyIRd702uhl+Q1hE8fOx4YspAFtS
ak/dF5W/n6M5p6FSYYemQVWh6zhUZ1gd6pSz45loLAwa9HI/T4VdnqelkYE9+mqq
rvJXJJZKENQaJyz+cVStBpCAJ8G9MMCJcvQlukMZpL2t1mWE5IXifU3V0Yw+L+NB
nO67NsnBipxjBD/GSOZuqLHiH/vwNAjsW+Xr4dYwhAdaf2jPSviPhAeUvWgjZnr4
59R2GG0c/tEsc9dJhwbNf3rDIxbcG5OG9KDQ6Rk9sBYC/6wRJIgPDsL4U/QJkp0c
COIBV6j6cQY=
=yCED
-----END PGP SIGNATURE-----

« Back to bulletins