Synopsis: Important: thunderbird security update Advisory ID: SLSA-2018:2251-1 Issue Date: 2018-07-25 CVE Numbers: CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-5188 CVE-2018-12373 CVE-2018-12372 CVE-2018-12374 -- This update upgrades Thunderbird to version 52.9.1. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188) * Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359) * Mozilla: Use-after-free using focus() (CVE-2018-12360) * Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362) * Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363) * Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364) * thunderbird: S/MIME and PGP decryption oracles can be built with HTML emails (CVE-2018-12372) * thunderbird: S/MIME plaintext can be leaked through HTML reply/forward (CVE-2018-12373) * Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365) * Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366) * thunderbird: Using form to exfiltrate encrypted mail part by pressing enter in form field (CVE-2018-12374) -- SL6 x86_64 thunderbird-52.9.1-1.el6.x86_64.rpm thunderbird-debuginfo-52.9.1-1.el6.x86_64.rpm i386 thunderbird-52.9.1-1.el6.i686.rpm thunderbird-debuginfo-52.9.1-1.el6.i686.rpm - Scientific Linux Development Team