Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13637 closed enhancement (fixed)

thunderbird-68.9.0

Reported by: Douglas R. Reno Owned by: Pierre Labastie
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (6)

comment:1 by Pierre Labastie, 5 years ago

Owner: changed from blfs-book to Pierre Labastie
Status: newassigned 
fixed: Custom headers added for searching or filtering could not be removed
fixed: Calendar: Today Pane updated prior to loading all data
fixed: Stability improvements
fixed: Various security fixes

But the security fixes page does not show anything for 68.9 (yet)

comment:2 by Pierre Labastie, 5 years ago

Here they are now: 

Security Vulnerabilities fixed in Thunderbird 68.9.0

Announced
    June 2, 2020
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 68.9

#CVE-2020-12399: Timing attack on DSA signatures in NSS library

Reporter
    Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University
Impact
    high

Description

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.
References

    Bug 1631576

#CVE-2020-12405: Use-after-free in SharedWorkerService

Reporter
    Marcin 'Icewall' Noga of Cisco Talos
Impact
    high

Description

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.
References

    Bug 1631618

#CVE-2020-12406: JavaScript Type confusion with NativeTypes

Reporter
    Iain Ireland
Impact
    high

Description

Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.
References

    Bug 1639590

#CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 68.9.0

#CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage

Reporter
    Damian Poddebniak
Impact
    high

Description

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection.
References

    Bug 1613623

comment:3 by Pierre Labastie, 5 years ago

Priority: normalhigh

Promoting to high

comment:4 by Pierre Labastie, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r23246

comment:5 by Bruce Dubbs, 5 years ago

Milestone: 9.210,0

Milestone renamed

comment:6 by Bruce Dubbs, 5 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.