Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3510.2 thunderbird security update 19 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-11752 CVE-2019-11746 CVE-2019-11744 CVE-2019-11743 CVE-2019-11742 CVE-2019-11740 CVE-2019-11739 Reference: ASB-2019.0268 Original Bulletin: https://security-tracker.debian.org/tracker/DSA-4523-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running thunderbird check for an updated version of the software for their operating system. Revision History: September 19 2019: vendor advisory that issue fix available for debian 8 September 16 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4523-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 15, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code, cross-site scripting, information disclosure and a covert content attack on S/MIME encryption using a crafted multipart/alternative message. For the oldstable distribution (stretch), these problems have been fixed in version 1:60.9.0-1~deb9u1 and 1:60.9.0-1~deb8u1. For the stable distribution (buster), these problems have been fixed in version 1:60.9.0-1~deb10u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl1+qekACgkQEMKTtsN8 TjabkQ/9H/SSJsrvb1pBCRf7OwDY6gznIIyI5aD7Ki3pcare52UC8LcrbxqYoxbw yVsGHe099OlRCW/ojq52o+XaCW0VP4vhX2jyJMINWk0ZA28OCyJJebsM4NTy1qgx lmZJMO3JW9lpUygi9k6ouHgBeylSGsi+o2HR0+5+B2wmUrwG7/hUA12h9X5+W/uK d1ucaX4/xGNbksZi9yCwbGPwiZi0uKeWWpkg3GKEpT9/T6PGzwTIiW0zgaOq8G5J 5uClMeeZfdYU7QlEbtpyq/CAnFgRF03U8WQlbufdiEIVHq1el6jpYy/TnCwwmliq ZHagKEsyXMK4iWTiOXEcOSLUyWl2GIDWwXEgY6q3I+EARtFugR6vsGwGZBMxpR5C k0c7vuXeRdj/Hje8IF1AC0Y76vmkWaUAotKE1MZ3aEQJmsG6V8X51aV7ldgryhJ2 NBNw6f/O2bO+sN1ny7z37nWi2J2NPf8A1gLOOydmtKC9rOA8AvlhXF2RaflD2JOr jtSXxbMxUAA+vH/VCE+pg4KCvCfNWXpAgShdFLA6YrFT8LbG76JSsPNkQblIljzh YJdBRBm6crmaa0rld05gHqYY7xdCGHJsMyGVOgX6ql4iRNy14Ij4MGsXEA0RO87a Fw2eC7XB/YGFwVf2RpwYycAtH0Kqu1LYib6nt1FdQ3iJaY+4Cbs= =e63L - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXYLHNWaOgq3Tt24GAQi+0BAAsDAoboezhOYBMfQCYxal9GzTohrirwj0 HMxHFlnSQM0j6tLYik3Uqv+hfN0zXiznVDQK2bDBfukdzmgk4o8P07LHYo2NMlzo 5kjvNm+nbN+qx22LyjfzYlndudRiYZ2Mmhy06qznrScOnEZoLdkJggOz89+bMY13 1QBI/VKB6aIROQloYw1cMi7aWYINKAs+oLr4vT6n87Lag2RqiQFLGb0AbdtO5pmn uthjMIuHPlcv6aM2N/+xsmH1WoAyjPShQhKHlswBMz8gBc4c+f2GEd0POAtBrhCI oo7ymZShEV7jolWLKRNBthZ3Nl4nxqa3ALQp33HNgKAMLO0kkm96I1iKbYR2TJ/8 YOZj9L3l4HD88Lmem9jQntXdHEjWhtOk1aTe7wW7HCfJ9uUEheGLUIO0ONW4K69D UE/DaNdnW4q8H2DUpG/aUsNU3ZO4WaF6mnjaPz03fWtMG9OBqN//P0DoxPQ3JlVe jQS1cfgmbZWPMy/xkpG4HE4QevSLKYMwdWWELmX8Z1DYN4fbzYUzztlUAIkkwWnJ sk4mZehoQPKLw8YhA80zSbh4YQEHT1oAtXct7r0odXmLgjlktd9DjQVwMyNNAlvU +4C4KVPOxr3r9LdisXoLbqiVrgQ13zjxSTVW+e4DGRI7nN65kCo3rwWVCjCm2L36 aQwv1EXYltE= =C4g7 -----END PGP SIGNATURE-----