From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-2405-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B4888138334
	for <garchives@archives.gentoo.org>; Sat, 24 Nov 2018 20:03:44 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B9B05E0AE9;
	Sat, 24 Nov 2018 20:03:14 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 554ADE07EF
	for <gentoo-announce@lists.gentoo.org>; Sat, 24 Nov 2018 19:52:11 +0000 (UTC)
Received: from localhost (pool-108-45-63-132.washdc.fios.verizon.net [108.45.63.132])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: bman)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 650AC335D1A
	for <gentoo-announce@lists.gentoo.org>; Sat, 24 Nov 2018 19:52:09 +0000 (UTC)
Date: Sat, 24 Nov 2018 14:52:05 -0500
From: Aaron Bauman <bman@gentoo.org>
To: gentoo-announce@lists.gentoo.org
Subject: [gentoo-announce] [ GLSA 201811-13 ] Mozilla Thunderbird: Multiple vulnerabilities
Message-ID: <20181124195205.GC17300@monkey>
Reply-To: security@gentoo.org
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="ncSAzJYg3Aa9+CRW"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Archives-Salt: d3db31cd-29d9-43fb-8816-efd16f909f3d
X-Archives-Hash: a69eac5c5c258b46f40ffbd4f1a88264


--ncSAzJYg3Aa9+CRW
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201811-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Mozilla Thunderbird: Multiple vulnerabilities
     Date: November 24, 2018
     Bugs: #651862, #656092, #660342, #669960, #670102
       ID: 201811-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been found in Mozilla Thunderbird, the
worst of which could lead to the execution of arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  mail-client/thunderbird      < 60.3.0                  >=3D 60.3.0=20
  2  mail-client/thunderbird-bin
                                  < 60.3.0                  >=3D 60.3.0=20
    -------------------------------------------------------------------
     2 affected packages

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the referenced Mozilla Foundation Security Advisories and
CVE identifiers below for details.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker may be able to execute arbitrary code, cause a Denial
of Service condition, obtain sensitive information, or conduct
Cross-Site Request Forgery (CSRF).

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All Thunderbird users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=3Dmail-client/thunderbird-60.3.0"

All Thunderbird binary users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=3Dmail-client/thunderbird-bin-60.3.0"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[  1 ] CVE-2017-16541
       https://nvd.nist.gov/vuln/detail/CVE-2017-16541
[  2 ] CVE-2018-12359
       https://nvd.nist.gov/vuln/detail/CVE-2018-12359
[  3 ] CVE-2018-12360
       https://nvd.nist.gov/vuln/detail/CVE-2018-12360
[  4 ] CVE-2018-12361
       https://nvd.nist.gov/vuln/detail/CVE-2018-12361
[  5 ] CVE-2018-12362
       https://nvd.nist.gov/vuln/detail/CVE-2018-12362
[  6 ] CVE-2018-12363
       https://nvd.nist.gov/vuln/detail/CVE-2018-12363
[  7 ] CVE-2018-12364
       https://nvd.nist.gov/vuln/detail/CVE-2018-12364
[  8 ] CVE-2018-12365
       https://nvd.nist.gov/vuln/detail/CVE-2018-12365
[  9 ] CVE-2018-12366
       https://nvd.nist.gov/vuln/detail/CVE-2018-12366
[ 10 ] CVE-2018-12367
       https://nvd.nist.gov/vuln/detail/CVE-2018-12367
[ 11 ] CVE-2018-12371
       https://nvd.nist.gov/vuln/detail/CVE-2018-12371
[ 12 ] CVE-2018-12372
       https://nvd.nist.gov/vuln/detail/CVE-2018-12372
[ 13 ] CVE-2018-12373
       https://nvd.nist.gov/vuln/detail/CVE-2018-12373
[ 14 ] CVE-2018-12374
       https://nvd.nist.gov/vuln/detail/CVE-2018-12374
[ 15 ] CVE-2018-12376
       https://nvd.nist.gov/vuln/detail/CVE-2018-12376
[ 16 ] CVE-2018-12377
       https://nvd.nist.gov/vuln/detail/CVE-2018-12377
[ 17 ] CVE-2018-12378
       https://nvd.nist.gov/vuln/detail/CVE-2018-12378
[ 18 ] CVE-2018-12379
       https://nvd.nist.gov/vuln/detail/CVE-2018-12379
[ 19 ] CVE-2018-12383
       https://nvd.nist.gov/vuln/detail/CVE-2018-12383
[ 20 ] CVE-2018-12385
       https://nvd.nist.gov/vuln/detail/CVE-2018-12385
[ 21 ] CVE-2018-12389
       https://nvd.nist.gov/vuln/detail/CVE-2018-12389
[ 22 ] CVE-2018-12390
       https://nvd.nist.gov/vuln/detail/CVE-2018-12390
[ 23 ] CVE-2018-12391
       https://nvd.nist.gov/vuln/detail/CVE-2018-12391
[ 24 ] CVE-2018-12392
       https://nvd.nist.gov/vuln/detail/CVE-2018-12392
[ 25 ] CVE-2018-12393
       https://nvd.nist.gov/vuln/detail/CVE-2018-12393
[ 26 ] CVE-2018-5125
       https://nvd.nist.gov/vuln/detail/CVE-2018-5125
[ 27 ] CVE-2018-5127
       https://nvd.nist.gov/vuln/detail/CVE-2018-5127
[ 28 ] CVE-2018-5129
       https://nvd.nist.gov/vuln/detail/CVE-2018-5129
[ 29 ] CVE-2018-5144
       https://nvd.nist.gov/vuln/detail/CVE-2018-5144
[ 30 ] CVE-2018-5145
       https://nvd.nist.gov/vuln/detail/CVE-2018-5145
[ 31 ] CVE-2018-5146
       https://nvd.nist.gov/vuln/detail/CVE-2018-5146
[ 32 ] CVE-2018-5150
       https://nvd.nist.gov/vuln/detail/CVE-2018-5150
[ 33 ] CVE-2018-5154
       https://nvd.nist.gov/vuln/detail/CVE-2018-5154
[ 34 ] CVE-2018-5155
       https://nvd.nist.gov/vuln/detail/CVE-2018-5155
[ 35 ] CVE-2018-5156
       https://nvd.nist.gov/vuln/detail/CVE-2018-5156
[ 36 ] CVE-2018-5159
       https://nvd.nist.gov/vuln/detail/CVE-2018-5159
[ 37 ] CVE-2018-5161
       https://nvd.nist.gov/vuln/detail/CVE-2018-5161
[ 38 ] CVE-2018-5162
       https://nvd.nist.gov/vuln/detail/CVE-2018-5162
[ 39 ] CVE-2018-5168
       https://nvd.nist.gov/vuln/detail/CVE-2018-5168
[ 40 ] CVE-2018-5170
       https://nvd.nist.gov/vuln/detail/CVE-2018-5170
[ 41 ] CVE-2018-5178
       https://nvd.nist.gov/vuln/detail/CVE-2018-5178
[ 42 ] CVE-2018-5183
       https://nvd.nist.gov/vuln/detail/CVE-2018-5183
[ 43 ] CVE-2018-5184
       https://nvd.nist.gov/vuln/detail/CVE-2018-5184
[ 44 ] CVE-2018-5185
       https://nvd.nist.gov/vuln/detail/CVE-2018-5185
[ 45 ] CVE-2018-5187
       https://nvd.nist.gov/vuln/detail/CVE-2018-5187
[ 46 ] CVE-2018-5188
       https://nvd.nist.gov/vuln/detail/CVE-2018-5188

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201811-13

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

--ncSAzJYg3Aa9+CRW
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlv5q+UACgkQpRQw84X1
dt1BJAgAhXOlr+ztOJ9En+KNeQEOu1P2BaZDBp2gqd27g2OovmqOlaUWm6x0U4Pg
/Wp0P7JOB5oEYPjLYsLwqVwj7xGX7QKHoynU/L9R7no0xewMvmeByHiV/o8NAuFa
tNULJLBjd+uKPb/4UAh2XYY1quBfwr2fjW13dbsPUILbf9v5FSSnxAi3kmqeJvWZ
Ov8GN81gUoO8v0Vsmu5VLtrDVvAqfxpbsisL06AlWhC5AD0S0HnXpwWjH+0eciEv
JnvVR+oLoWqCTxonep10mXywKYtmSuwfKgKqlvUi2OYZf4/fOdZDdWMFlEpr7zXF
07RUYl1AZfFF1witcW05hX1p+hP8Gw==
=Y/3P
-----END PGP SIGNATURE-----

--ncSAzJYg3Aa9+CRW--