Amazon Linux 2 : thunderbird (ALAS-2018-1061)

High Nessus Plugin ID 112086

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

Use-after-free when appending DOM nodes (CVE-2018-12363)

Use-after-free using focus() (CVE-2018-12360)

Compromised IPC child process can list local filenames (CVE-2018-12365)

Buffer overflow using computed size of canvas element (CVE-2018-12359)

Using form to exfiltrate encrypted mail part by pressing enter in form field (CVE-2018-12374)

S/MIME plaintext can be leaked through HTML reply/forward (CVE-2018-12373)

Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

S/MIME and PGP decryption oracles can be built with HTML emails (CVE-2018-12372)

Integer overflow in SSSE3 scaler (CVE-2018-12362)

CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)

Invalid data handling during QCMS transformations (CVE-2018-12366)

Solution

Run 'yum update thunderbird' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2018-1061.html

Plugin Details

Severity: High

ID: 112086

File Name: al2_ALAS-2018-1061.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2018/08/24

Modified: 2018/08/24

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:thunderbird, p-cpe:/a:amazon:linux:thunderbird-debuginfo, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2018/08/21

Reference Information

CVE: CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12372, CVE-2018-12373, CVE-2018-12374, CVE-2018-5188

ALAS: 2018-1061