#13637: thunderbird-68.9.0
-------------------------+------------------------------
Reporter: renodr | Owner: pierre.labastie
Type: enhancement | Status: assigned
Priority: normal | Milestone: 9.2
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+------------------------------
Comment (by pierre.labastie):
Here they are now:
{{{
Security Vulnerabilities fixed in Thunderbird 68.9.0
Announced
June 2, 2020
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 68.9
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
Reporter
Cesar Pereida Garcia and the Network and Information Security Group
(NISEC) at Tampere University
Impact
high
Description
NSS has shown timing differences when performing DSA signatures, which was
exploitable and could eventually leak private keys.
References
Bug 1631576
#CVE-2020-12405: Use-after-free in SharedWorkerService
Reporter
Marcin 'Icewall' Noga of Cisco Talos
Impact
high
Description
When browsing a malicious page, a race condition in our
SharedWorkerService could occur and lead to a potentially exploitable
crash.
References
Bug 1631618
#CVE-2020-12406: JavaScript Type confusion with NativeTypes
Reporter
Iain Ireland
Impact
high
Description
Mozilla developer Iain Ireland discovered a missing type check during
unboxed objects removal, resulting in a crash. We presume that with enough
effort that it could be exploited to run arbitrary code.
References
Bug 1639590
#CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
Reporter
Mozilla developers
Impact
high
Description
Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs
present in Firefox 68.8. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 68.9.0
#CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to
information leakage
Reporter
Damian Poddebniak
Impact
high
Description
If Thunderbird is configured to use STARTTLS for an IMAP server, and the
server sends a PREAUTH response, then Thunderbird will continue with an
unencrypted connection, causing email data to be sent without protection.
References
Bug 1613623
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13637#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
