Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3536 [DLA 1575-1] thunderbird security update 13 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Existing Account Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12393 CVE-2018-12392 CVE-2018-12390 CVE-2018-12389 CVE-2018-12385 CVE-2018-12383 CVE-2018-12379 CVE-2018-12378 CVE-2018-12377 CVE-2018-12376 CVE-2018-12371 CVE-2018-12367 CVE-2018-12361 CVE-2018-5187 CVE-2018-5156 CVE-2017-16541 Reference: ASB-2018.0189 ESB-2018.3531 ESB-2018.2774 ESB-2018.1884 ASB-2018.0208.5 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : thunderbird Version : 1:60.3.0-1~deb8u1 CVE ID : CVE-2017-16541 CVE-2018-5156 CVE-2018-5187 CVE-2018-12361 CVE-2018-12367 CVE-2018-12371 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379 CVE-2018-12383 CVE-2018-12385 CVE-2018-12389 CVE-2018-12390 CVE-2018-12392 CVE-2018-12393 Multiple security issues have been found in Thunderbird: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. Debian follows the Thunderbird upstream releases. Support for the 52.x series has ended, so starting with this update we're now following the 60.x releases. Between 52.x and 60.x, Thunderbird has undergone significant internal updates, which makes it incompatible with a number of extensions. For more information please refer to https://support.mozilla.org/en-US/kb/new-thunderbird-60 For Debian 8 "Jessie", these problems have been fixed in version 1:60.3.0-1~deb8u1. We recommend that you upgrade your thunderbird packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlvpSBYACgkQnUbEiOQ2 gwLbkRAAsy6YWmnMQsw2XsmLShkkOVFUa8Y0wuYAUNer1QRcWKkWsaLTCc6ytg2U joxfwCGTdbalUaCj7Xsqa/+S9NFACZVjqZY1FYyuPPMNIIcG5i82IWUg+GKCDaGI 4S3gK9o/fHYki7Rnfj363SEGaRWhaLqnaIPbXiI8zYcFZ+6T1MgHEWcyN06RQ9fH 5BUVh8Om233+2Z0tIw8RTjdAPKyW+q442lWt5jcvKrlp7X8LXqYpiVM2382ss5VA kC1RhaXI3M59wjntwZSx3dEKacrNVhvFQN+pfcAhW9u814XR06Uvtvl4/nVcq8aN mIwU6f3870TgvpR7oNVb4laHFgA5RdjHOAtv1ZY5+PJ85v6apoqTDnmED/Cz6UsJ Q8pK1b0+On6RjYwHX+sWGnv+QGxwC+XJ1nkb/oQIhy7GUXlKLpJGdvCFIY2zH24t U8jsoTIUL48DaBg3541l7vJFb0gt81pBReYgzHL3rPxBpr2bKuLXfZ5OxAvvSLEy zddjoXezi0ZNMDPA1mbZel3g06rzzCu9LmwIm9LcIfbqdg9dI/MsNDS0cRYdvNQI YPK2hlekKlnp6bjrFj48c98ITxgLl1oHFPW6DsqWbXPy5lmwRM6p7SEee8/l/28D LXHXGBH9xOqJN21YPdkm/mKPEZjSmz8WMUh258TRq710CU9dUpI= =j+64 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+oQTmaOgq3Tt24GAQgFJw/9HoxYDP8uClnBTNKwlQkchNRCSxXJBNS9 dIkCi/cGlOjrH/3Ksh0SR/vgaMoL+fYFCXitZQtxc/JVp6cbssSm4Y8vi7hUSH8G L2Fvnuy4j1k9slCVyVVsv0i2QUDeDvGz9JSQxY7r42FNkTfLRhCYh/sWtHJKANS9 t0inaiLFu3pLCZWiTpBfomvffW+ytqTLOP3YoftIO0YmU258H9xWH/UwB3eXmJfM Lh1NdrFzU0uWdAtgIfouYSEYn3NJcW1K5Xm56JBrWXilVzFu3XLxI38LicAG9TO2 04W1Mr+udVtRU/H6PQXafXjJOcN9w74f8/sr/YD30Qkxx/iKEMoeXtuqG6Ybn0es UMI3vA6FUo00pemBmGjGkBplkoeo0okBSxB68MzX9v7vhC2k+2mOVty3TXxi89VF Ke2VlYQXo0JuBocP4Gc3cydGP2L5SqlwMVFcWiGvYQY71mzJMg0Rj1L6Yl72KaPN OLtzyckAZmAu8400uC5dnb5889fhVa0pv8p+B6yTzRuyiO0onPTuu6+F3JxOGP4H Y/kRVnUbhPxwTWTyWLVszi7pjgMVPjV544RYO/cRwX0cA1UT+pNihEYX27grAn5x /niLRCd26mDWFAUmONlQHF1asQH5bwY+iJrq2f0x1cuy2mofITGa0UWuvtAXHnqX H9VnlwFmS5M= =M8zh -----END PGP SIGNATURE-----