Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2020:0982-1

Опубликовано: 17 июл. 2020
Источник: suse-cvrf

Описание

Security update for MozillaThunderbird

This update for MozillaThunderbird to version 68.10.0 ESR fixes the following issues:

  • CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
  • CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
  • CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
  • CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
  • CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.2
MozillaThunderbird-68.10.0-lp152.2.4.1
MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1

Ссылки

Описание

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Затронутые продукты
openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1
Ссылки

Описание

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Затронутые продукты
openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1
Ссылки

Описание

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Затронутые продукты
openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1
Ссылки

Описание

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Затронутые продукты
openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1
Ссылки

Описание

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.

Затронутые продукты
openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1
openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1
Ссылки