Opened 5 years ago
Closed 5 years ago
#11675 closed enhancement (fixed)
thunderbird-60.5.1 (CVE-2018-18356 CVE-2019-5785 CVE-2018-18335 CVE-2018-18509)
| Reported by: | Bruce Dubbs | Owned by: | Tim Tassonis |
|---|---|---|---|
| Priority: | high | Milestone: | 8.4 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version. OK for 8.4.
Change History (3)
comment:1 by , 5 years ago
| Priority: | normal → high |
|---|---|
| Summary: | thunderbird-60.5.1 → thunderbird-60.5.1 (CVE-2018-18356 CVE-2019-5785 CVE-2018-18335 CVE-2018-18509) |
comment:2 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
Thunderbird Release Notes Version 60.5.1, first offered to channel users on February 14, 2019 Check out "What’s New" and "Known Issues" for this version of Thunderbird below. As always, you’re encouraged to tell us what you think, or file a bug in Bugzilla. If interested, please see the complete list of changes in this release. If you have installed Lightning, Thunderbird's Calendar add-on, it will automatically be updated to match the new version of Thunderbird. Refer to this Calendar troubleshooting article in case of problems. System Requirements: • Window: Windows 7, Windows Server 2008 R2 or later • Mac: Mac OS X 10.9 or later • Linux: GTK+ 3.4 or higher. Details here. Please refer to Release Notes for version 60.0 to see the list of improvements and fixed issues. What’s New fixed CalDav access to some servers not working fixed Various security fixes Known Issues unresolved Due to changes in the Mozilla platform profiles stored on Windows network shares addressed via drive letters are now addressed via UNC unresolved Chat: Twitter not working due to API changes at Twitter.comMozilla Foundation Security Advisory 2019-06 Security vulnerabilities fixed in Thunderbird 60.5.1 Announced February 14, 2019 Impact high Products Thunderbird Fixed in Thunderbird 60.5.1 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. #CVE-2018-18356: Use-after-free in Skia Reporter Tran Tien Hung of Viettel Cyber Security Impact high Description A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. References Bug 1525817 #CVE-2019-5785: Integer overflow in Skia Reporter Ivan Fratric of Google Project Zero Impact high Description An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. References Bug 1525433 The Curious Case of Convexity Confusion #CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D Reporter Anonymous Impact high Description A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default. References Bug 1525815 #CVE-2018-18509: S/MIME signature spoofing Reporter Damian Poddebniak Impact high Description A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. References Bug 1507218Security fixes: CVE-2018-18356, CVE-2019-5785, CVE-2018-18335, CVE-2018-18509