Overview

File _patchinfo of Package patchinfo.7994

<patchinfo incident="7994">
  <packager>AndreasStieger</packager>
  <issue tracker="cve" id="2018-12359"></issue>
  <issue tracker="cve" id="2018-12360"></issue>
  <issue tracker="cve" id="2018-12362"></issue>
  <issue tracker="cve" id="2018-12363"></issue>
  <issue tracker="cve" id="2018-12364"></issue>
  <issue tracker="cve" id="2018-5188"></issue>
  <issue tracker="cve" id="2018-12365"></issue>
  <issue tracker="cve" id="2018-12366"></issue>
  <issue tracker="bnc" id="1098998">VUL-0: MozillaFirefox: 52.9esr/60.1.0esr/61 release</issue>
  <issue tracker="cve" id="2018-12372"></issue>
  <issue tracker="bnc" id="1100082">VUL-0: CVE-2018-12372: MozillaThunderbird: S/MIME and PGP decryption oracles can be built with HTML emails</issue>
  <issue tracker="cve" id="2018-12373"></issue>
  <issue tracker="bnc" id="1100079">VUL-0: CVE-2018-12373: MozillaThunderbird: S/MIME plaintext can be leaked through HTML reply/forward</issue>
  <issue tracker="cve" id="2018-12374"></issue>
  <issue tracker="bnc" id="1100081">VUL-0: CVE-2018-12374: MozillaThunderbird: Using form to exfiltrate encrypted mail part by pressing enter in form field</issue>
  <issue tracker="bnc" id="1076907">package MozillaFirefox does not provide mimehandler(text/html)</issue>
  <issue tracker="bnc" id="1091376">Mozilla Thunderbird for i586 is not built</issue>
  <issue tracker="bnc" id="1085780">AUDIT-0: authoritative sources for all Mozilla based packages</issue>
  <issue tracker="bnc" id="1100780"/>
  <category>security</category>
  <rating>moderate</rating>
  <summary>Security update for Mozilla Thunderbird</summary>
  <description>This update for Mozilla Thunderbird to version 52.9.1 fixes multiple issues.

Security issues fixed, inherited from the Mozilla common code base (MFSA 2018-16, bsc#1098998):
    
- CVE-2018-12359: Buffer overflow using computed size of canvas element
- CVE-2018-12360: Use-after-free when using focus()
- CVE-2018-12362: Integer overflow in SSSE3 scaler
- CVE-2018-12363: Use-after-free when appending DOM nodes
- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
- CVE-2018-12365: Compromised IPC child process can list local filenames
- CVE-2018-12366: Invalid data handling during QCMS transformations
- CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0
    
Security issues fixed that affect e-mail privacy and integrity (including EFAIL): 
    
- CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails (bsc#1100082)
- CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward (bsc#1100079)
- CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field (bsc#1100081)
    
The following options are available for added security in certain scenarios:
    
- Option for not decrypting subordinate message parts that otherwise might reveal decryted content to the attacker. 
  Preference mailnews.p7m_subparts_external needs to be set to true for added security.
    
The following upstream changes are included:
    
- Thunderbird will now prompt to compact IMAP folders even if the account is online
- Fix various problems when forwarding messages inline when using "simple" HTML view
- Deleting or detaching attachments corrupted messages under certain circumstances (bsc#1100780)
    
The following tracked packaging changes are included:

- correct requires and provides handling (boo#1076907)
- reduce memory footprint with %ix86 at linking time via additional compiler flags (boo#1091376)
- Build from upstream source archive and verify source signature (boo#1085780)

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places