openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2452)

medium Nessus Plugin ID 130936
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for MozillaThunderbird to version 68.2.1 provides the following fixes :

- Security issues fixed (bsc#1154738) :

- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).

- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).

- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).

- CVE-2019-11759: Fixed a stack-based buffer overflow in HKDF output (bsc#1154738).

- CVE-2019-11760: Fixed a stack-based buffer overflow in WebRTC networking (bsc#1154738).

- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).

- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).

- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).

- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).

Other fixes (bsc#1153879) :

- Some attachments couldn't be opened in messages originating from MS Outlook 2016.

- Address book import from CSV.

- Performance problem in message body search.

- Ctrl+Enter to send a message would open an attachment if the attachment pane had focus.

- Calendar: Issues with 'Today Pane' start-up.

- Calendar: Glitches with custom repeat and reminder number input.

- Calendar: Problems with WCAP provider.

- A language for the user interface can now be chosen in the advanced settings

- Fixed an issue with Google authentication (OAuth2)

- Fixed an issue where selected or unread messages were not shown in the correct color in the thread pane under some circumstances

- Fixed an issue where when using a language pack, names of standard folders were not localized (bsc#1149126)

- Fixed an issue where the address book default startup directory in preferences panel not persisted

- Fixed various visual glitches

- Fixed issues with the chat

- Fixed building with rust >= 1.38.

- Fixrd LTO build without PGO.

- Removed kde.js since disabling instantApply breaks extensions and is now obsolete with the move to HTML views for preferences. (bsc#1151186)

- Updated create-tar.sh. (bsc#1152778)

- Deactivated the crashreporter for the last remaining arch.

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected MozillaThunderbird packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1149429

https://bugzilla.opensuse.org/show_bug.cgi?id=1151186

https://bugzilla.opensuse.org/show_bug.cgi?id=1154738

https://bugzilla.opensuse.org/show_bug.cgi?id=1149126

https://bugzilla.opensuse.org/show_bug.cgi?id=1152778

https://bugzilla.opensuse.org/show_bug.cgi?id=1153879

Plugin Details

Severity: Medium

ID: 130936

File Name: openSUSE-2019-2452.nasl

Version: 1.3

Type: local

Agent: unix

Published: 11/13/2019

Updated: 1/15/2020

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 6.7

CVSS Score Source: CVE-2019-11764

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:novell:opensuse:15.1:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillathunderbird:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillathunderbird-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillathunderbird-debugsource:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillathunderbird-translations-common:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillathunderbird-translations-other:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/9/2019

Vulnerability Publication Date: 9/4/2019

Reference Information

CVE: CVE-2019-15903, CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764