Synopsis:          Important: thunderbird security update

Advisory ID:       SLSA-2018:1725-1

Issue Date:        2018-05-24

CVE Numbers:       CVE-2018-5150

                   CVE-2018-5154

                   CVE-2018-5155

                   CVE-2018-5159

                   CVE-2018-5168

                   CVE-2018-5178

                   CVE-2018-5183

                   CVE-2018-5184

                   CVE-2018-5161

                   CVE-2018-5162

                   CVE-2018-5170

                   CVE-2018-5185

--



This update upgrades Thunderbird to version 52.8.0.



Security Fix(es):



* Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

(CVE-2018-5150)



* Mozilla: Backport critical security fixes in Skia (CVE-2018-5183)



* Mozilla: Use-after-free with SVG animations and clip paths

(CVE-2018-5154)



* Mozilla: Use-after-free with SVG animations and text paths

(CVE-2018-5155)



* Mozilla: Integer overflow and out-of-bounds write in Skia

(CVE-2018-5159)



* Mozilla: Full plaintext recovery in S/MIME via chosen-ciphertext attack

(CVE-2018-5184)



* Mozilla: Hang via malformed headers (CVE-2018-5161)



* Mozilla: Encrypted mail leaks plaintext through src attribute

(CVE-2018-5162)



* Mozilla: Lightweight themes can be installed without user interaction

(CVE-2018-5168)



* Mozilla: Filename spoofing for external attachments (CVE-2018-5170)



* Mozilla: Buffer overflow during UTF-8 to Unicode string conversion

through legacy extension (CVE-2018-5178)



* Mozilla: Leaking plaintext through HTML forms (CVE-2018-5185)

--



SL7

  x86_64

    thunderbird-52.8.0-1.el7_5.x86_64.rpm

    thunderbird-debuginfo-52.8.0-1.el7_5.x86_64.rpm



- Scientific Linux Development Team