You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa thunderbird

Sigurnosni nedostaci programskog paketa thunderbird

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for MozillaThunderbird

Announcement ID: openSUSE-SU-2018:3687-1
Rating: important
References: #1066489 #1084603 #1098998 #1107343 #1107772
#1109363 #1109379 #1112852
Cross-References: CVE-2017-16541 CVE-2018-12359 CVE-2018-12360
CVE-2018-12361 CVE-2018-12362 CVE-2018-12363
CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
CVE-2018-12367 CVE-2018-12371 CVE-2018-12376
CVE-2018-12377 CVE-2018-12378 CVE-2018-12383
CVE-2018-12385 CVE-2018-12389 CVE-2018-12390
CVE-2018-12391 CVE-2018-12392 CVE-2018-12393
CVE-2018-16541 CVE-2018-5156 CVE-2018-5187
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12

An update that fixes 25 vulnerabilities is now available.


This update for Mozilla Thunderbird to version 60.2.1 fixes multiple

Multiple security issues were fixed in the Mozilla platform as advised in
MFSA 2018-25 and MFSA 2018-28. In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when reading
mail, but are potentially risks in browser or browser-like contexts:

– CVE-2018-12359: Prevent buffer overflow using computed size of canvas
element (bsc#1098998)
– CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998)
– CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998)
– CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998)
– CVE-2018-5156: Prevent media recorder segmentation fault when track type
is changed during capture (bsc#1098998)
– CVE-2018-12363: Prevent use-after-free when appending DOM nodes
– CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI
plugins (bsc#1098998)
– CVE-2018-12365: Prevent compromised IPC child process listing local
filenames (bsc#1098998)
– CVE-2018-12371: Prevent integer overflow in Skia library during edge
builder allocation (bsc#1098998)
– CVE-2018-12366: Prevent invalid data handling during QCMS
transformations (bsc#1098998)
– CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
– CVE-2018-5187: Various memory safety bugs (bsc#1098998)
– CVE-2018-5188: Various memory safety bugs (bsc#1098998)
– CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
– CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
– CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
– CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR
60.2 (bsc#1107343)
– CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
– CVE-2018-12383: Setting a master password did not delete unencrypted
previously stored passwords (bsc#1107343)
– CVE-2018-12389: Fixed memory safety bugs (bsc#1112852)
– CVE-2018-12390: Fixed memory safety bugs (bsc#1112852)
– CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible
cross-origin (bsc#1112852)
– CVE-2018-12392: Fixed crash with nested event loops (bsc#1112852)
– CVE-2018-12393: Fixed integer overflow during Unicode conversion while
loading JavaScript (bsc#1112852)

These non-security issues were fixed:

– Fix date display issues (bsc#1109379)
– Fix start-up crash due to folder name with special characters
– Storing of remote content settings fixed (bsc#1084603)
– Improved message handling and composing
– Improved handling of message templates
– Support for OAuth2 and FIDO U2F
– Various Calendar improvements
– Various fixes and changes to e-mail workflow
– Various IMAP fixes
– Native desktop notifications
– various theme fixes
– Shift+PageUp/PageDown in Write window
– Gloda attachment filtering
– Mailing list address auto-complete enter/return handling
– Thunderbird hung if HTML signature references non-existent image
– Filters not working for headers that appear more than once

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2018-1360=1

Package List:

– SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail:

AutorToni Vugdelija
Cert idNCERT-REF-2018-11-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa java-1.8.0-ibm

Otkriveni su sigurnosni nedostaci u programskom paketu java-1.8.0-ibm za operacijski sustav Red Hat. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS...