Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2018:3769-1
Rating:	important
References:	bsc#1112852
Cross-References:	CVE-2018-12389 CVE-2018-12390 CVE-2018-12391 CVE-2018-12392 CVE-2018-12393
CVSS scores:	CVE-2018-12389 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12390 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12390 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-12391 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12391 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12392 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12392 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-12393 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12393 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15

An update that solves five vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Thunderbird 63 ESR was updated to version 60.3.0 to fix the following issues (bsc#1112852):

Security issues fixed (MFSA 2018-28):

• CVE-2018-12389: Fixed memory safety bugs.
• CVE-2018-12390: Fixed memory safety bugs.
• CVE-2018-12391: Fixed HTTP Live Stream audio data is accessible cross-origin.
• CVE-2018-12392: Fixed crash with nested event loops.
• CVE-2018-12393: Fixed integer overflow during Unicode conversion while loading JavaScript.

Non-security issues fixed:

• various theme fixes
• Shift+PageUp/PageDown in Write window
• Gloda attachment filtering
• Mailing list address auto-complete enter/return handling
• Thunderbird hung if HTML signature references non-existent image
• Filters not working for headers that appear more than once
• Update _constraints for armv6/7
• Add memory-constraints to avoid OOM errors

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15
  zypper in -t patch SUSE-SLE-Product-WE-15-2018-2660=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 (x86_64)
  • MozillaThunderbird-debuginfo-60.3.0-3.17.2
  • MozillaThunderbird-60.3.0-3.17.2
  • MozillaThunderbird-translations-other-60.3.0-3.17.2
  • MozillaThunderbird-translations-common-60.3.0-3.17.2
  • MozillaThunderbird-debugsource-60.3.0-3.17.2

References:

• https://www.suse.com/security/cve/CVE-2018-12389.html
• https://www.suse.com/security/cve/CVE-2018-12390.html
• https://www.suse.com/security/cve/CVE-2018-12391.html
• https://www.suse.com/security/cve/CVE-2018-12392.html
• https://www.suse.com/security/cve/CVE-2018-12393.html
• https://bugzilla.suse.com/show_bug.cgi?id=1112852