-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3209
                  Security update for MozillaThunderbird
                              22 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Thunderbird
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12385 CVE-2018-12383 CVE-2018-12378
                   CVE-2018-12377 CVE-2018-12376 CVE-2018-12371
                   CVE-2018-12367 CVE-2018-12366 CVE-2018-12365
                   CVE-2018-12364 CVE-2018-12363 CVE-2018-12362
                   CVE-2018-12361 CVE-2018-12360 CVE-2018-12359
                   CVE-2018-5188 CVE-2018-5187 CVE-2018-5156
                   CVE-2017-16541  

Reference:         ASB-2018.0208.3
                   ASB-2018.0189
                   ASB-2018.0146
                   ASB-2018.0139
                   ESB-2018.2774
                   ESB-2018.2492
                   ESB-2018.2356
                   ESB-2018.2328

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20183247-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3247-1
Rating:             important
References:         #1066489 #1084603 #1098998 #1107343 #1107772 
                    #1109363 #1109379 
Cross-References:   CVE-2017-16541 CVE-2018-12359 CVE-2018-12360
                    CVE-2018-12361 CVE-2018-12362 CVE-2018-12363
                    CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
                    CVE-2018-12367 CVE-2018-12371 CVE-2018-12376
                    CVE-2018-12377 CVE-2018-12378 CVE-2018-12383
                    CVE-2018-12385 CVE-2018-5156 CVE-2018-5187
                    CVE-2018-5188
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 15
______________________________________________________________________________

   An update that fixes 19 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird to version 60.2.1 fixes the following
   issues:

   Update to Thunderbird 60.2.1:

   * Calendar: Default values for the first day of the week and working days
     are now derived from the selected datetime formatting locale
   * Calendar: Switch to a Photon-style icon set for all platforms
   * Fix multiple requests for master password when Google Mail or Calendar
     OAuth2 is enabled
   * Fix scrollbar of the address entry auto-complete popup
   * Fix security info dialog in compose window not showing certificate status
   * Fix links in the Add-on Manager's search results and theme browsing tabs
     that opened in external browser
   * Fix localization not showing the localized name for the "Drafts" and
     "Sent" folders for certain IMAP providers
   * Fix replying to a message with an empty subject which inserted Re: twice
   * Fix spellcheck marks disappeaing erroneously for words with an apostrophe
   * Calendar: First day of the week can now be set
   * Calendar: Several fixes related to cutting/deleting of events and email
     schedulin

   These security issues were fixed:

   - CVE-2018-12359: Prevent buffer overflow using computed size of canvas
     element (bsc#1098998).
   - CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998).
   - CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998).
   - CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998).
   - CVE-2018-5156: Prevent media recorder segmentation fault when track type
     is changed during capture (bsc#1098998).
   - CVE-2018-12363: Prevent use-after-free when appending DOM nodes
     (bsc#1098998).
   - CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI
     plugins (bsc#1098998).
   - CVE-2018-12365: Prevent compromised IPC child process listing local
     filenames (bsc#1098998).
   - CVE-2018-12371: Prevent integer overflow in Skia library during edge
     builder allocation (bsc#1098998).
   - CVE-2018-12366: Prevent invalid data handling during QCMS
     transformations (bsc#1098998).
   - CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
     (bsc#1098998).
   - CVE-2018-5187: Various memory safety bugs (bsc#1098998).
   - CVE-2018-5188: Various memory safety bugs (bsc#1098998).
   - CVE-2018-12377: Prevent use-after-free in refresh driver timers
     (bsc#1107343)
   - CVE-2018-12378: Prevent use-after-free in IndexedDB (bsc#1107343)
   - CVE-2017-16541: Prevent proxy bypass using automount and autofs
     (bsc#1066489)
   - CVE-2018-12376: Fixed various memory safety bugs (bsc#1107343)
   - CVE-2018-12385: Fixed crash in TransportSecurityInfo due to cached data
     (bsc#1109363)
   - CVE-2018-12383: Fixed that setting a master password did not delete
     unencrypted previously stored passwords (bsc#1107343)

   These can not, in general, be exploited through email, but are potential
   risks in browser or browser-like contexts.

   These non-security issues were fixed:

   - Storing of remote content settings fixed (bsc#1084603)
   - Improved message handling and composing
   - Improved handling of message templates
   - Support for OAuth2 and FIDO U2F
   - Various Calendar improvements
   - Various fixes and changes to e-mail workflow
   - Various IMAP fixes
   - Native desktop notifications
   - Fix date display issues (bsc#1109379)
   - Fix start-up crash due to folder name with special characters
     (bsc#1107772)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 15:

      zypper in -t patch SUSE-SLE-Product-WE-15-2018-2333=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 15 (x86_64):

      MozillaThunderbird-60.2.1-3.13.1
      MozillaThunderbird-debuginfo-60.2.1-3.13.1
      MozillaThunderbird-debugsource-60.2.1-3.13.1
      MozillaThunderbird-translations-common-60.2.1-3.13.1
      MozillaThunderbird-translations-other-60.2.1-3.13.1


References:

   https://www.suse.com/security/cve/CVE-2017-16541.html
   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12361.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12367.html
   https://www.suse.com/security/cve/CVE-2018-12371.html
   https://www.suse.com/security/cve/CVE-2018-12376.html
   https://www.suse.com/security/cve/CVE-2018-12377.html
   https://www.suse.com/security/cve/CVE-2018-12378.html
   https://www.suse.com/security/cve/CVE-2018-12383.html
   https://www.suse.com/security/cve/CVE-2018-12385.html
   https://www.suse.com/security/cve/CVE-2018-5156.html
   https://www.suse.com/security/cve/CVE-2018-5187.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://bugzilla.suse.com/1066489
   https://bugzilla.suse.com/1084603
   https://bugzilla.suse.com/1098998
   https://bugzilla.suse.com/1107343
   https://bugzilla.suse.com/1107772
   https://bugzilla.suse.com/1109363
   https://bugzilla.suse.com/1109379

_______________________________________________

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW80tbGaOgq3Tt24GAQgmsBAAy30CHrVaHXZFKbHyP0l68eCGxaFhk8Z1
0ne8fn+Jp6c7/MKU45+J1GCl0rHbVt++SAPWI7ISNe5+YCmISBQjTQughEcPQS2/
5hjbnkdYmUA2woVqnx+n8S4Obi6chIn6rLsWv77nAnTAWYNqxuYa11zoiUyPM+ew
DswuaXjYqNgST56HaxEdFZM3mQFcxUOHwiKckwxJL/N1MX52hVewDcUg5tCx342p
O7ymFE18FgRUqToO17BwDJHABnLiHS/XrlRW0QlnZfHF5XPZPm2Q+JRuWdYnjo/x
XcIiIvvv8jf0Y2s6MQ4mfYVKXhQx1xkgk1tgQjwDTkjiGr9ytF3z9dqkSoIrXHY7
Fv2dR9xWRD/wvoFJIWe8HCs6gnurL/0uUi7IJbBv0dNzp6PM7eiqds2SJg7YBuux
eYI99FXE8kvELl6ZtWPTDnBeR46TN4KWIBFE0dHYD7deObqY6JbmCaGAbBrVX7iV
7BZZ1mb1Dr2Rska4wQaPiebp7/UdHrzHBdRv7a6oMBl1XrcQRAS4dkohEHVbOKq8
UfzDYj6KBgus342hAeKZrlvnUhAtpX9A3ENVAwPWaGQp7vtlT5yARK6kkF2G9j6D
I7YCOvXOuPLykuQIg5b8N5XXxM1ssykd48LXoJuwjE4DkYLWI35MeREwDkK8rT2e
60CkWjkGURs=
=cAv4
-----END PGP SIGNATURE-----