openSUSE Security Update: Security update for Mozilla Thunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1907-1 Rating: moderate References: #1076907 #1085780 #1091376 #1098998 #1100079 #1100081 #1100082 Cross-References: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374 CVE-2018-5188 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for Mozilla Thunderbird to version 52.9.0 fixes multiple issues. Security issues fixed, inherited from the Mozilla common code base (MFSA 2018-16, bsc#1098998): - CVE-2018-12359: Buffer overflow using computed size of canvas element - CVE-2018-12360: Use-after-free when using focus() - CVE-2018-12362: Integer overflow in SSSE3 scaler - CVE-2018-12363: Use-after-free when appending DOM nodes - CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins - CVE-2018-12365: Compromised IPC child process can list local filenames - CVE-2018-12366: Invalid data handling during QCMS transformations - CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0 Security issues fixed that affect e-mail privacy and integrity (including EFAIL): - CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails (bsc#1100082) - CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward (bsc#1100079) - CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field (bsc#1100081) The following options are available for added security in certain scenarios: - Option for not decrypting subordinate message parts that otherwise might reveal decryted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security. The following upstream changes are included: - Thunderbird will now prompt to compact IMAP folders even if the account is online - Fix various problems when forwarding messages inline when using "simple" HTML view The following tracked packaging changes are included: - correct requires and provides handling (boo#1076907) - reduce memory footprint with %ix86 at linking time via additional compiler flags (boo#1091376) - Build from upstream source archive and verify source signature (boo#1085780) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2018-701=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): MozillaThunderbird-52.9.0-65.1 MozillaThunderbird-buildsymbols-52.9.0-65.1 MozillaThunderbird-debuginfo-52.9.0-65.1 MozillaThunderbird-debugsource-52.9.0-65.1 MozillaThunderbird-devel-52.9.0-65.1 MozillaThunderbird-translations-common-52.9.0-65.1 MozillaThunderbird-translations-other-52.9.0-65.1 References: https://www.suse.com/security/cve/CVE-2018-12359.html https://www.suse.com/security/cve/CVE-2018-12360.html https://www.suse.com/security/cve/CVE-2018-12362.html https://www.suse.com/security/cve/CVE-2018-12363.html https://www.suse.com/security/cve/CVE-2018-12364.html https://www.suse.com/security/cve/CVE-2018-12365.html https://www.suse.com/security/cve/CVE-2018-12366.html https://www.suse.com/security/cve/CVE-2018-12372.html https://www.suse.com/security/cve/CVE-2018-12373.html https://www.suse.com/security/cve/CVE-2018-12374.html https://www.suse.com/security/cve/CVE-2018-5188.html https://bugzilla.suse.com/1076907 https://bugzilla.suse.com/1085780 https://bugzilla.suse.com/1091376 https://bugzilla.suse.com/1098998 https://bugzilla.suse.com/1100079 https://bugzilla.suse.com/1100081 https://bugzilla.suse.com/1100082 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org