openSUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:2249-1 Rating: important References: #1140868 #1141322 #1149296 #1149297 #1149298 #1149299 #1149303 #1149304 #1150939 #1152375 Cross-References: CVE-2019-11709 CVE-2019-11710 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11714 CVE-2019-11715 CVE-2019-11716 CVE-2019-11717 CVE-2019-11719 CVE-2019-11720 CVE-2019-11721 CVE-2019-11723 CVE-2019-11724 CVE-2019-11725 CVE-2019-11727 CVE-2019-11728 CVE-2019-11729 CVE-2019-11730 CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 CVE-2019-11755 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes 27 vulnerabilities is now available. Description: This update for MozillaThunderbird to version 68.1.1 fixes the following issues: - CVE-2019-11709: Fixed several memory safety bugs. (bsc#1140868) - CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868) - CVE-2019-11711: Fixed a script injection within domain through inner window reuse. (bsc#1140868) - CVE-2019-11712: Fixed an insufficient validation of cross-origin POST requests within NPAPI plugins. (bsc#1140868) - CVE-2019-11713: Fixed a use-after-free with HTTP/2 cached stream. (bsc#1140868) - CVE-2019-11714: Fixed a crash in NeckoChild. (bsc#1140868) - CVE-2019-11715: Fixed an HTML parsing error that can contribute to content XSS. (bsc#1140868) - CVE-2019-11716: Fixed an enumeration issue in globalThis. (bsc#1140868) - CVE-2019-11717: Fixed an improper escaping of the caret character in origins. (bsc#1140868) - CVE-2019-11719: Fixed an out-of-bounds read when importing curve25519 private key. (bsc#1140868) - CVE-2019-11720: Fixed a character encoding XSS vulnerability. (bsc#1140868) - CVE-2019-11721: Fixed domain spoofing through unicode latin 'kra' character. (bsc#1140868) - CVE-2019-11723: Fixed a cookie leakage during add-on fetching across private browsing boundaries. (bsc#1140868) - CVE-2019-11724: Fixed a permissions issue with the retired site input.mozilla.org. (bsc#1140868) - CVE-2019-11725: Fixed a SafeBrowsing bypass through WebSockets. (bsc#1140868) - CVE-2019-11727: Fixed an insufficient validation for PKCS#1 v1.5 signatures being used with TLS 1.3. (bsc#1140868) - CVE-2019-11728: Fixed port scanning through Alt-Svc header. (bsc#1140868) - CVE-2019-11729: Fixed a segmentation fault due to empty or malformed p256-ECDH public keys. (bsc#1140868) - CVE-2019-11730: Fixed an insufficient enforcement of the same-origin policy that treats all files in a directory as having the same-origin. (bsc#1140868) - CVE-2019-11739: Fixed a Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message. (bsc#1150939) - CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299) - CVE-2019-11742: Fixed a same-origin policy violation with SVG filters and canvas that enabled theft of cross-origin images. (bsc#1149303) - CVE-2019-11743: Fixed a cross-origin access issue. (bsc#1149298) - CVE-2019-11744: Fixed a XSS involving breaking out of title and textarea elements using innerHTML. (bsc#1149304) - CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297) - CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296) - CVE-2019-11755: Fixed an insufficient validation of S/MIME messages that allowed the author to be spoofed. (bsc#1152375) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2019-2249=1 Package List: - openSUSE Leap 15.1 (x86_64): MozillaThunderbird-68.1.1-lp151.2.13.1 MozillaThunderbird-buildsymbols-68.1.1-lp151.2.13.1 MozillaThunderbird-debuginfo-68.1.1-lp151.2.13.1 MozillaThunderbird-debugsource-68.1.1-lp151.2.13.1 MozillaThunderbird-translations-common-68.1.1-lp151.2.13.1 MozillaThunderbird-translations-other-68.1.1-lp151.2.13.1 enigmail-2.1.2-lp151.2.6.1 References: https://www.suse.com/security/cve/CVE-2019-11709.html https://www.suse.com/security/cve/CVE-2019-11710.html https://www.suse.com/security/cve/CVE-2019-11711.html https://www.suse.com/security/cve/CVE-2019-11712.html https://www.suse.com/security/cve/CVE-2019-11713.html https://www.suse.com/security/cve/CVE-2019-11714.html https://www.suse.com/security/cve/CVE-2019-11715.html https://www.suse.com/security/cve/CVE-2019-11716.html https://www.suse.com/security/cve/CVE-2019-11717.html https://www.suse.com/security/cve/CVE-2019-11719.html https://www.suse.com/security/cve/CVE-2019-11720.html https://www.suse.com/security/cve/CVE-2019-11721.html https://www.suse.com/security/cve/CVE-2019-11723.html https://www.suse.com/security/cve/CVE-2019-11724.html https://www.suse.com/security/cve/CVE-2019-11725.html https://www.suse.com/security/cve/CVE-2019-11727.html https://www.suse.com/security/cve/CVE-2019-11728.html https://www.suse.com/security/cve/CVE-2019-11729.html https://www.suse.com/security/cve/CVE-2019-11730.html https://www.suse.com/security/cve/CVE-2019-11739.html https://www.suse.com/security/cve/CVE-2019-11740.html https://www.suse.com/security/cve/CVE-2019-11742.html https://www.suse.com/security/cve/CVE-2019-11743.html https://www.suse.com/security/cve/CVE-2019-11744.html https://www.suse.com/security/cve/CVE-2019-11746.html https://www.suse.com/security/cve/CVE-2019-11752.html https://www.suse.com/security/cve/CVE-2019-11755.html https://bugzilla.suse.com/1140868 https://bugzilla.suse.com/1141322 https://bugzilla.suse.com/1149296 https://bugzilla.suse.com/1149297 https://bugzilla.suse.com/1149298 https://bugzilla.suse.com/1149299 https://bugzilla.suse.com/1149303 https://bugzilla.suse.com/1149304 https://bugzilla.suse.com/1150939 https://bugzilla.suse.com/1152375 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org