openSUSE-SU-2018:3051-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird

Announcement ID: openSUSE-SU-2018:3051-1
Rating: important
References: #1066489 #1084603 #1098998 #1107343 #1107772
#1109363 #1109379
Cross-References: CVE-2017-16541 CVE-2018-12359 CVE-2018-12360
CVE-2018-12361 CVE-2018-12362 CVE-2018-12363
CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
CVE-2018-12367 CVE-2018-12371 CVE-2018-12376
CVE-2018-12377 CVE-2018-12378 CVE-2018-12383
CVE-2018-12385 CVE-2018-16541 CVE-2018-5156
CVE-2018-5187 CVE-2018-5188
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0

An update that fixes 20 vulnerabilities is now available.


This update for Mozilla Thunderbird to version 60.2.1 fixes multiple

Multiple security issues were fixed in the Mozilla platform as advised in
MFSA 2018-25. In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail, but are
potentially risks in browser or browser-like contexts:

– CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343)
– CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343)
– CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1066489)
– CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR
60.2 (bsc#1107343)
– CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
– CVE-2018-12383: Setting a master password did not delete unencrypted
previously stored passwords (bsc#1107343)
– CVE-2018-12359: Buffer overflow using computed size of canvas element
– CVE-2018-12360: Use-after-free when using focus() (bsc#1098998)
– CVE-2018-12361: Integer overflow in SwizzleData (bsc#1098998)
– CVE-2018-12362: Integer overflow in SSSE3 scaler (bsc#1098998)
– CVE-2018-12363: Use-after-free when appending DOM nodes (bsc#1098998)
– CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
– CVE-2018-12365: Compromised IPC child process can list local filenames
– CVE-2018-12371: Integer overflow in Skia library during edge builder
allocation (bsc#1098998)
– CVE-2018-12366: Invalid data handling during QCMS transformations
– CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
– CVE-2018-5156: Media recorder segmentation fault when track type is
changed during capture (bsc#1098998)
– CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
and Thunderbird 60 (bsc#1098998)
– CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 60 (bsc#1098998)

Other bugs fixes:

– Fix date display issues (bsc#1109379)
– Fix start-up crash due to folder name with special characters

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1139=1

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1139=1

Package List:

– openSUSE Leap 42.3 (x86_64):


– openSUSE Leap 15.0 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail: