Synopsis:          Important: thunderbird security update
Advisory ID:       SLSA-2018:2251-1
Issue Date:        2018-07-25
CVE Numbers:       CVE-2018-12359
                   CVE-2018-12360
                   CVE-2018-12362
                   CVE-2018-12363
                   CVE-2018-12364
                   CVE-2018-12365
                   CVE-2018-12366
                   CVE-2018-5188
                   CVE-2018-12373
                   CVE-2018-12372
                   CVE-2018-12374
--

This update upgrades Thunderbird to version 52.9.1.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element
(CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
(CVE-2018-12364)

* thunderbird: S/MIME and PGP decryption oracles can be built with HTML
emails (CVE-2018-12372)

* thunderbird: S/MIME plaintext can be leaked through HTML reply/forward
(CVE-2018-12373)

* Mozilla: Compromised IPC child process can list local filenames
(CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations
(CVE-2018-12366)

* thunderbird: Using form to exfiltrate encrypted mail part by pressing
enter in form field (CVE-2018-12374)
--

SL6
  x86_64
    thunderbird-52.9.1-1.el6.x86_64.rpm
    thunderbird-debuginfo-52.9.1-1.el6.x86_64.rpm
  i386
    thunderbird-52.9.1-1.el6.i686.rpm
    thunderbird-debuginfo-52.9.1-1.el6.i686.rpm

- Scientific Linux Development Team