{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"60.7.2-85.1","MozillaThunderbird-buildsymbols":"60.7.2-85.1","MozillaThunderbird-translations-common":"60.7.2-85.1","MozillaThunderbird-translations-other":"60.7.2-85.1"}]},"package":{"ecosystem":"SUSE:Package Hub 12","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Package%20Hub%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"60.7.2-85.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\nMozilla Thunderbird was updated to 60.7.2 / MFSA 2019-20 (boo#1138872):\n  * CVE-2019-11707: Type confusion in Array.pop\n  * CVE-2019-11708: sandbox escape using Prompt:Open\n\nMozilla Thunderbird was updated to 60.7.1 / MFSA 2019-17 (boo#1137595):\n* CVE-2019-11703: Heap buffer overflow in icalparser.c\n* CVE-2019-11704: Heap buffer overflow in icalvalue.c\n* CVE-2019-11705: Stack buffer overflow in icalrecur.c\n* CVE-2019-11706: Type confusion in icalproperty.c\n\nAlso fixed: No prompt for smartcard PIN when S/MIME signing is used\n\nMozilla Thunderbird was updated to 60.7.0 / MFSA 2019-15 (boo#1135824):\n\n* Attachment pane of Write window no longer focussed when attaching\n  files using a keyboard shortcut\n\n* CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS\n* CVE-2019-9816: Type confusion with object groups and UnboxedObjects\n* CVE-2019-9817: Stealing of cross-domain images using canvas\n* CVE-2019-9818 (Windows only): Use-after-free in crash generation server\n* CVE-2019-9819: Compartment mismatch with fetch API\n* CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell\n* CVE-2019-11691: Use-after-free in XMLHttpRequest\n* CVE-2019-11692: Use-after-free removing listeners in the event listener manager\n* CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux\n* CVE-2019-7317: Use-after-free in png_image_free of libpng library\n* CVE-2019-9797: Cross-origin theft of images with createImageBitmap\n* CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext\n* CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox\n* CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks\n* CVE-2019-5798: Out-of-bounds read in Skia\n* CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7\n\n- Disable building with LTO (boo#1133267).\n","id":"openSUSE-SU-2019:1664-1","modified":"2019-06-28T08:42:30Z","published":"2019-06-28T08:42:30Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZFVBHHF6WMJDJB73NZDWFFGS6D23TB67/#ZFVBHHF6WMJDJB73NZDWFFGS6D23TB67"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130694"},{"type":"REPORT","url":"https://bugzilla.suse.com/1133267"},{"type":"REPORT","url":"https://bugzilla.suse.com/1135824"},{"type":"REPORT","url":"https://bugzilla.suse.com/1137595"},{"type":"REPORT","url":"https://bugzilla.suse.com/1138872"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-18511"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11691"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11692"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11693"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11694"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11698"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11703"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11704"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11705"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11706"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11707"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-11708"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-5798"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7317"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9797"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9800"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9815"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9816"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9817"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9818"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9819"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-9820"}],"related":["CVE-2018-18511","CVE-2019-11691","CVE-2019-11692","CVE-2019-11693","CVE-2019-11694","CVE-2019-11698","CVE-2019-11703","CVE-2019-11704","CVE-2019-11705","CVE-2019-11706","CVE-2019-11707","CVE-2019-11708","CVE-2019-5798","CVE-2019-7317","CVE-2019-9797","CVE-2019-9800","CVE-2019-9815","CVE-2019-9816","CVE-2019-9817","CVE-2019-9818","CVE-2019-9819","CVE-2019-9820"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2018-18511","CVE-2019-11691","CVE-2019-11692","CVE-2019-11693","CVE-2019-11694","CVE-2019-11698","CVE-2019-11703","CVE-2019-11704","CVE-2019-11705","CVE-2019-11706","CVE-2019-11707","CVE-2019-11708","CVE-2019-5798","CVE-2019-7317","CVE-2019-9797","CVE-2019-9800","CVE-2019-9815","CVE-2019-9816","CVE-2019-9817","CVE-2019-9818","CVE-2019-9819","CVE-2019-9820"]}