openSUSE Security Update : MozillaThunderbird (openSUSE-2018-1139)

critical Nessus Plugin ID 117987


New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote openSUSE host is missing a security update.


This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues.

Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts :

- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)

- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)

- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)

- CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343)

- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)

- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

- CVE-2018-12359: Buffer overflow using computed size of canvas element (bsc#1098998)

- CVE-2018-12360: Use-after-free when using focus() (bsc#1098998)

- CVE-2018-12361: Integer overflow in SwizzleData (bsc#1098998)

- CVE-2018-12362: Integer overflow in SSSE3 scaler (bsc#1098998)

- CVE-2018-12363: Use-after-free when appending DOM nodes (bsc#1098998)

- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998)

- CVE-2018-12365: Compromised IPC child process can list local filenames (bsc#1098998)

- CVE-2018-12371: Integer overflow in Skia library during edge builder allocation (bsc#1098998)

- CVE-2018-12366: Invalid data handling during QCMS transformations (bsc#1098998)

- CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998)

- CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture (bsc#1098998)

- CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60 (bsc#1098998)

- CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60 (bsc#1098998)

Other bugs fixes :

- Fix date display issues (bsc#1109379)

- Fix start-up crash due to folder name with special characters (bsc#1107772)


Update the affected MozillaThunderbird packages.

See Also

Plugin Details

Severity: Critical

ID: 117987

File Name: openSUSE-2018-1139.nasl

Version: 1.6

Type: local

Agent: unix

Published: 10/9/2018

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, cpe:/o:novell:opensuse:15.0, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/6/2018

Reference Information

CVE: CVE-2017-16541, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12371, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12383, CVE-2018-12385, CVE-2018-16541, CVE-2018-5156, CVE-2018-5187, CVE-2018-5188