openSUSE Security Update : MozillaThunderbird (openSUSE-2019-680)

high Nessus Plugin ID 123293
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for Mozilla Thunderbird to version 60.2.1 fixes multiple issues.

Multiple security issues were fixed in the Mozilla platform as advised in MFSA 2018-25. In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts :

- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)

- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)

- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)

- CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (bsc#1107343)

- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)

- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

- CVE-2018-12359: Buffer overflow using computed size of canvas element (bsc#1098998)

- CVE-2018-12360: Use-after-free when using focus() (bsc#1098998)

- CVE-2018-12361: Integer overflow in SwizzleData (bsc#1098998)

- CVE-2018-12362: Integer overflow in SSSE3 scaler (bsc#1098998)

- CVE-2018-12363: Use-after-free when appending DOM nodes (bsc#1098998)

- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998)

- CVE-2018-12365: Compromised IPC child process can list local filenames (bsc#1098998)

- CVE-2018-12371: Integer overflow in Skia library during edge builder allocation (bsc#1098998)

- CVE-2018-12366: Invalid data handling during QCMS transformations (bsc#1098998)

- CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998)

- CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture (bsc#1098998)

- CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60 (bsc#1098998)

- CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60 (bsc#1098998)

Other bugs fixes :

- Fix date display issues (bsc#1109379)

- Fix start-up crash due to folder name with special characters (bsc#1107772)

Solution

Update the affected MozillaThunderbird packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1066489

https://bugzilla.opensuse.org/show_bug.cgi?id=1084603

https://bugzilla.opensuse.org/show_bug.cgi?id=1098998

https://bugzilla.opensuse.org/show_bug.cgi?id=1107343

https://bugzilla.opensuse.org/show_bug.cgi?id=1107772

https://bugzilla.opensuse.org/show_bug.cgi?id=1109363

https://bugzilla.opensuse.org/show_bug.cgi?id=1109379

Plugin Details

Severity: High

ID: 123293

File Name: openSUSE-2019-680.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/27/2019

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/23/2019

Vulnerability Publication Date: 11/4/2017

Reference Information

CVE: CVE-2017-16541, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12371, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12383, CVE-2018-12385, CVE-2018-16541, CVE-2018-5156, CVE-2018-5187, CVE-2018-5188