File _patchinfo of Package patchinfo.8615

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.8615

<patchinfo incident="8615">
  <issue tracker="bnc" id="1098998">VUL-0: MozillaFirefox: 52.9esr/60.1.0esr/61 release</issue>
  <issue tracker="bnc" id="1084603">Thunderbird doesn't save settings about remote content in mails</issue>
  <issue id="1066489" tracker="bnc">VUL-1: CVE-2017-16541: MozillaFirefox: information disclosure through file:// URLs</issue>
  <issue id="1107343" tracker="bnc">VUL-0: MozillaFirefox: 62 / 60.2 ESR releases</issue>
  <issue id="1107772" tracker="bnc">MozillaThunderbird: 60.0 start-up crash due to folder name with special characters</issue>
  <issue id="1109363" tracker="bnc">VUL-0: CVE-2018-12385: MozillaFirefox: Crash in TransportSecurityInfo due to cached data</issue>
  <issue id="1109379" tracker="bnc">Thunderbird 60.0 displays wrong date format</issue>
  <issue id="2017-16541" tracker="cve" />
  <issue id="2018-12376" tracker="cve" />
  <issue id="2018-12377" tracker="cve" />
  <issue id="2018-12378" tracker="cve" />
  <issue id="2018-12383" tracker="cve" />
  <issue id="2018-12385" tracker="cve" />
  <issue tracker="cve" id="2018-12362"/>
  <issue tracker="cve" id="2018-12363"/>
  <issue tracker="cve" id="2018-12360"/>
  <issue tracker="cve" id="2018-12361"/>
  <issue tracker="cve" id="2018-12366"/>
  <issue tracker="cve" id="2018-12367"/>
  <issue tracker="cve" id="2018-12364"/>
  <issue tracker="cve" id="2018-12365"/>
  <issue tracker="cve" id="2018-12359"/>
  <issue tracker="cve" id="2018-5188"/>
  <issue tracker="cve" id="2018-5187"/>
  <issue tracker="cve" id="2018-5156"/>
  <issue tracker="cve" id="2018-12371"/>
  <category>security</category>
  <rating>important</rating>
  <packager>AndreasStieger</packager>
  <description>This update for MozillaThunderbird to version 60.2.1 fixes the following issues:

Update to Thunderbird 60.2.1:

* Calendar: Default values for the first day of the week and
  working days are now derived from the selected datetime
  formatting locale
* Calendar: Switch to a Photon-style icon set for all platforms
* Fix multiple requests for master password when Google Mail or
  Calendar OAuth2 is enabled
* Fix scrollbar of the address entry auto-complete popup
* Fix security info dialog in compose window not showing 
  certificate status
* Fix links in the Add-on Manager's search results and theme
  browsing tabs that opened in external browser
* Fix localization not showing the localized name for the
  "Drafts" and "Sent" folders for certain IMAP providers
* Fix replying to a message with an empty subject which
  inserted Re: twice
* Fix spellcheck marks disappeaing erroneously for words with
  an apostrophe
* Calendar: First day of the week can now be set
* Calendar: Several fixes related to cutting/deleting of events
  and email schedulin

These security issues were fixed:

- CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998).
- CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998).
- CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998).
- CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998).
- CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998).
- CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998).
- CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998).
- CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998).
- CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998).
- CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998).
- CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998).
- CVE-2018-5187: Various memory safety bugs (bsc#1098998).
- CVE-2018-5188: Various memory safety bugs (bsc#1098998).
- CVE-2018-12377: Prevent use-after-free in refresh driver timers (bsc#1107343)
- CVE-2018-12378: Prevent use-after-free in IndexedDB (bsc#1107343)
- CVE-2017-16541: Prevent proxy bypass using automount and autofs (bsc#1066489)
- CVE-2018-12376: Fixed various memory safety bugs (bsc#1107343)
- CVE-2018-12385: Fixed crash in TransportSecurityInfo due to cached data (bsc#1109363)
- CVE-2018-12383: Fixed that setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

These can not, in general, be exploited through email, but are potential risks
in browser or browser-like contexts.

These non-security issues were fixed:

- Storing of remote content settings fixed (bsc#1084603)
- Improved message handling and composing
- Improved handling of message templates
- Support for OAuth2 and FIDO U2F
- Various Calendar improvements
- Various fixes and changes to e-mail workflow 
- Various IMAP fixes
- Native desktop notifications
- Fix date display issues (bsc#1109379)
- Fix start-up crash due to folder name with special characters
  (bsc#1107772)
</description>
  <summary>Security update for MozillaThunderbird</summary>
</patchinfo>

Places

File _patchinfo of Package patchinfo.8615

Places