SUSE-SU-2018:2174-1: moderate: Security update for Mozilla Thunderbird

Thu Aug 2 10:09:59 MDT 2018

   SUSE Security Update: Security update for Mozilla Thunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2174-1
Rating:             moderate
References:         #1076907 #1085780 #1091376 #1098998 #1100079 
                    #1100081 #1100082 #1100780 
Cross-References:   CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
                    CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
                    CVE-2018-12366 CVE-2018-12372 CVE-2018-12373
                    CVE-2018-12374 CVE-2018-5188
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 15
______________________________________________________________________________

   An update that fixes 11 vulnerabilities is now available.

Description:

   This update for Mozilla Thunderbird to version 52.9.1 fixes multiple
   issues.

   Security issues fixed, inherited from the Mozilla common code base (MFSA
   2018-16, bsc#1098998):

   - CVE-2018-12359: Buffer overflow using computed size of canvas element
   - CVE-2018-12360: Use-after-free when using focus()
   - CVE-2018-12362: Integer overflow in SSSE3 scaler
   - CVE-2018-12363: Use-after-free when appending DOM nodes
   - CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
   - CVE-2018-12365: Compromised IPC child process can list local filenames
   - CVE-2018-12366: Invalid data handling during QCMS transformations
   - CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

   Security issues fixed that affect e-mail privacy and integrity (including
   EFAIL):

   - CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
     emails (bsc#1100082)
   - CVE-2018-12373: S/MIME plaintext can be leaked through HTML
     reply/forward (bsc#1100079)
   - CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
     enter in form field (bsc#1100081)

   The following options are available for added security in certain
   scenarios:

   - Option for not decrypting subordinate message parts that otherwise might
     reveal decryted content to the attacker. Preference
     mailnews.p7m_subparts_external needs to be set to true for added
     security.

   The following upstream changes are included:

   - Thunderbird will now prompt to compact IMAP folders even if the account
     is online
   - Fix various problems when forwarding messages inline when using "simple"
     HTML view
   - Deleting or detaching attachments corrupted messages under certain
     circumstances (bsc#1100780)

   The following tracked packaging changes are included:

   - correct requires and provides handling (boo#1076907)
   - reduce memory footprint with %ix86 at linking time via additional
     compiler flags (boo#1091376)
   - Build from upstream source archive and verify source signature
     (boo#1085780)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 15:

      zypper in -t patch SUSE-SLE-Product-WE-15-2018-1475=1

Package List:

   - SUSE Linux Enterprise Workstation Extension 15 (x86_64):

      MozillaThunderbird-52.9.1-3.7.1
      MozillaThunderbird-debuginfo-52.9.1-3.7.1
      MozillaThunderbird-debugsource-52.9.1-3.7.1
      MozillaThunderbird-devel-52.9.1-3.7.1
      MozillaThunderbird-translations-common-52.9.1-3.7.1
      MozillaThunderbird-translations-other-52.9.1-3.7.1

References:

   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12372.html
   https://www.suse.com/security/cve/CVE-2018-12373.html
   https://www.suse.com/security/cve/CVE-2018-12374.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://bugzilla.suse.com/1076907
   https://bugzilla.suse.com/1085780
   https://bugzilla.suse.com/1091376
   https://bugzilla.suse.com/1098998
   https://bugzilla.suse.com/1100079
   https://bugzilla.suse.com/1100081
   https://bugzilla.suse.com/1100082
   https://bugzilla.suse.com/1100780