openSUSE-SU-2019:0249-1: important: Security update for MozillaThunderbird

openSUSE Security Update: Security update for MozillaThunderbird

Announcement ID: openSUSE-SU-2019:0249-1
Rating: important
References: #1122983 #1125330
Cross-References: CVE-2016-5824 CVE-2018-12405 CVE-2018-17466
CVE-2018-18335 CVE-2018-18356 CVE-2018-18492
CVE-2018-18493 CVE-2018-18494 CVE-2018-18498
CVE-2018-18500 CVE-2018-18501 CVE-2018-18505
CVE-2018-18509 CVE-2019-5785
Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12

An update that fixes 14 vulnerabilities is now available.


This update for MozillaThunderbird to version 60.5.1 fixes the following

Security vulnerabilities addressed (MFSA 2019-03 MFSA 2018-31 bsc#1122983
and MFSA 2019-06 bsc#1125330):

– CVE-2018-18356: Fixed a Use-after-free in Skia.
– CVE-2019-5785: Fixed an Integer overflow in Skia.
– CVE-2018-18335: Fixed a Buffer overflow in Skia by default deactivating
Canvas 2D. This issue does not affect Linuc distributions.
– CVE-2018-18509: Fixed a flaw which during verification of certain S/MIME
signatures showing mistekenly that emails bring a valid sugnature.
– CVE-2018-18500: Use-after-free parsing HTML5 stream
– CVE-2018-18505: Privilege escalation through IPC channel messages
– CVE-2016-5824: DoS (use-after-free) via a crafted ics file
– CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR
– CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library
with TextureStorage11
– CVE-2018-18492: Use-after-free with select element
– CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia
– CVE-2018-18494: Same-origin policy violation using location attribute
and performance.getEntries to steal cross-origin URLs
– CVE-2018-18498: Integer overflow when calculating buffer sizes for images
– CVE-2018-12405: Memory safety bugs

Other bug fixes and changes:

* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines from a
local XML file using a minimal user inferface: [+] button to select a
file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default in some
* During account creation, Thunderbird will now detect servers using the
Microsoft Exchange protocol. It will offer the installation of a 3rd
party add-on (Owl) which supports that protocol.
* Thunderbird now compatible with other WebExtension-based FileLink
add-ons like the Dropbox add-on
* New WebExtensions FileLink API to facilitate add-ons
* Fix decoding problems for messages with less common charsets (cp932,
* New messages in the drafts folder (and other special or virtual folders)
will no longer be included in the new messages notification
* Thunderbird 60 will migrate security databases (key3.db, cert8.db to
key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a fault
that potentially deleted saved passwords and private certificate keys
for users using a master password. Version 60.3.3 will prevent the loss
of data; affected users who have already upgraded to version 60.3.2 or
earlier can restore the deleted key3.db file from backup to complete the
* Address book search and auto-complete slowness introduced in Thunderbird
* Plain text markup with * for bold, / for italics, _ for underline and |
for code did not work when the enclosed text contained non-ASCII
* While composing a message, a link not removed when link location was
removed in the link properties panel
* Encoding problems when exporting address books or messages using the
system charset. Messages are now always exported using the UTF-8 encoding
* If the “Date” header of a message was invalid, Jan 1970 or Dec 1969 was
displayed. Now using date from “Received” header instead.
* Body search/filtering didn’t reliably ignore content of tags
* Inappropriate warning “Thunderbird prevented the site
( from asking you to install software on your
computer” when installing add-ons
* Incorrect display of correspondents column since own email address was
not always detected
* Spurious (encoded newline) inserted into drafts and sent email
* Double-clicking on a word in the Write window sometimes launched the
Advanced Property Editor or Link Properties dialog
* Fixe Cookie removal
* “Download rest of message” was not working if global inbox was used
* Fix Encoding problems for users (especially in Poland) when a file was
sent via a folder using “Sent to > Mail recipient” due to a problem in
the Thunderbird MAPI interface
* According to RFC 4616 and RFC 5721, passwords containing non-ASCII
characters are encoded using UTF-8 which can lead to problems with
non-compliant providers, for example The SMTP LOGIN and POP3 USER/PASS authentication methods
are now using a Latin-1 encoding again to work around this issue
* Fix shutdown crash/hang after entering an empty IMAP password

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-249=1

Package List:

– SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail: