{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"52.9.1-3.7.1","MozillaThunderbird-devel":"52.9.1-3.7.1","MozillaThunderbird-translations-common":"52.9.1-3.7.1","MozillaThunderbird-translations-other":"52.9.1-3.7.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"52.9.1-3.7.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for Mozilla Thunderbird to version 52.9.1 fixes multiple issues.\n\nSecurity issues fixed, inherited from the Mozilla common code base (MFSA 2018-16, bsc#1098998):\n    \n- CVE-2018-12359: Buffer overflow using computed size of canvas element\n- CVE-2018-12360: Use-after-free when using focus()\n- CVE-2018-12362: Integer overflow in SSSE3 scaler\n- CVE-2018-12363: Use-after-free when appending DOM nodes\n- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins\n- CVE-2018-12365: Compromised IPC child process can list local filenames\n- CVE-2018-12366: Invalid data handling during QCMS transformations\n- CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0\n    \nSecurity issues fixed that affect e-mail privacy and integrity (including EFAIL): \n    \n- CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails (bsc#1100082)\n- CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward (bsc#1100079)\n- CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field (bsc#1100081)\n    \nThe following options are available for added security in certain scenarios:\n    \n- Option for not decrypting subordinate message parts that otherwise might reveal decryted content to the attacker. \n  Preference mailnews.p7m_subparts_external needs to be set to true for added security.\n    \nThe following upstream changes are included:\n    \n- Thunderbird will now prompt to compact IMAP folders even if the account is online\n- Fix various problems when forwarding messages inline when using 'simple' HTML view\n- Deleting or detaching attachments corrupted messages under certain circumstances (bsc#1100780)\n    \nThe following tracked packaging changes are included:\n\n- correct requires and provides handling (boo#1076907)\n- reduce memory footprint with %ix86 at linking time via additional compiler flags (boo#1091376)\n- Build from upstream source archive and verify source signature (boo#1085780)\n\n","id":"SUSE-SU-2018:2174-1","modified":"2018-08-02T12:19:39Z","published":"2018-08-02T12:19:39Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182174-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1076907"},{"type":"REPORT","url":"https://bugzilla.suse.com/1085780"},{"type":"REPORT","url":"https://bugzilla.suse.com/1091376"},{"type":"REPORT","url":"https://bugzilla.suse.com/1098998"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100079"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100081"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100082"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100780"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12359"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12360"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12362"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12363"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12364"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12365"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12366"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12372"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12373"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-12374"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-5188"}],"related":["CVE-2018-12359","CVE-2018-12360","CVE-2018-12362","CVE-2018-12363","CVE-2018-12364","CVE-2018-12365","CVE-2018-12366","CVE-2018-12372","CVE-2018-12373","CVE-2018-12374","CVE-2018-5188"],"summary":"Security update for Mozilla Thunderbird","upstream":["CVE-2018-12359","CVE-2018-12360","CVE-2018-12362","CVE-2018-12363","CVE-2018-12364","CVE-2018-12365","CVE-2018-12366","CVE-2018-12372","CVE-2018-12373","CVE-2018-12374","CVE-2018-5188"]}