openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2248)

High Nessus Plugin ID 129662

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for MozillaThunderbird to version 68.1.1 fixes the following issues :

- CVE-2019-11709: Fixed several memory safety bugs.
(bsc#1140868)

- CVE-2019-11710: Fixed several memory safety bugs.
(bsc#1140868)

- CVE-2019-11711: Fixed a script injection within domain through inner window reuse. (bsc#1140868)

- CVE-2019-11712: Fixed an insufficient validation of cross-origin POST requests within NPAPI plugins.
(bsc#1140868)

- CVE-2019-11713: Fixed a use-after-free with HTTP/2 cached stream. (bsc#1140868)

- CVE-2019-11714: Fixed a crash in NeckoChild.
(bsc#1140868)

- CVE-2019-11715: Fixed an HTML parsing error that can contribute to content XSS. (bsc#1140868)

- CVE-2019-11716: Fixed an enumeration issue in globalThis. (bsc#1140868)

- CVE-2019-11717: Fixed an improper escaping of the caret character in origins. (bsc#1140868)

- CVE-2019-11719: Fixed an out-of-bounds read when importing curve25519 private key. (bsc#1140868)

- CVE-2019-11720: Fixed a character encoding XSS vulnerability. (bsc#1140868)

- CVE-2019-11721: Fixed domain spoofing through unicode latin 'kra' character. (bsc#1140868)

- CVE-2019-11723: Fixed a cookie leakage during add-on fetching across private browsing boundaries.
(bsc#1140868)

- CVE-2019-11724: Fixed a permissions issue with the retired site input.mozilla.org. (bsc#1140868)

- CVE-2019-11725: Fixed a SafeBrowsing bypass through WebSockets. (bsc#1140868)

- CVE-2019-11727: Fixed an insufficient validation for PKCS#1 v1.5 signatures being used with TLS 1.3.
(bsc#1140868)

- CVE-2019-11728: Fixed port scanning through Alt-Svc header. (bsc#1140868)

- CVE-2019-11729: Fixed a segmentation fault due to empty or malformed p256-ECDH public keys. (bsc#1140868)

- CVE-2019-11730: Fixed an insufficient enforcement of the same-origin policy that treats all files in a directory as having the same-origin. (bsc#1140868)

- CVE-2019-11739: Fixed a Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message. (bsc#1150939)

- CVE-2019-11740: Fixed several memory safety bugs.
(bsc#1149299)

- CVE-2019-11742: Fixed a same-origin policy violation with SVG filters and canvas that enabled theft of cross-origin images. (bsc#1149303)

- CVE-2019-11743: Fixed a cross-origin access issue.
(bsc#1149298)

- CVE-2019-11744: Fixed a XSS involving breaking out of title and textarea elements using innerHTML.
(bsc#1149304)

- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)

- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)

- CVE-2019-11755: Fixed an insufficient validation of S/MIME messages that allowed the author to be spoofed.
(bsc#1152375)

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected MozillaThunderbird packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1140868

https://bugzilla.opensuse.org/show_bug.cgi?id=1141322

https://bugzilla.opensuse.org/show_bug.cgi?id=1149296

https://bugzilla.opensuse.org/show_bug.cgi?id=1149297

https://bugzilla.opensuse.org/show_bug.cgi?id=1149298

https://bugzilla.opensuse.org/show_bug.cgi?id=1149299

https://bugzilla.opensuse.org/show_bug.cgi?id=1149303

https://bugzilla.opensuse.org/show_bug.cgi?id=1149304

https://bugzilla.opensuse.org/show_bug.cgi?id=1150939

https://bugzilla.opensuse.org/show_bug.cgi?id=1152375

Plugin Details

Severity: High

ID: 129662

File Name: openSUSE-2019-2248.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2019/10/07

Updated: 2020/09/22

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS Score Source: CVE-2019-11752

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:enigmail, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/10/04

Vulnerability Publication Date: 2019/07/23

Reference Information

CVE: CVE-2019-11709, CVE-2019-11710, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11729, CVE-2019-11730, CVE-2019-11739, CVE-2019-11740, CVE-2019-11742, CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11752, CVE-2019-11755