ALAS2-2018-1032


Amazon Linux 2 Security Advisory: ALAS-2018-1032
Advisory Release Date: 2018-06-11 22:07 Pacific
Severity: Critical

Issue Overview:

The following CVEs are fixed in the updated thunderbird package:

CVE-2018-5161 : Hang via malformed headers
CVE-2018-5162 : Encrypted mail leaks plaintext through src attribute
CVE-2018-5183 : Backport critical security fixes in Skia
CVE-2018-5155 : Use-after-free with SVG animations and text paths
CVE-2018-5170 : Filename spoofing for external attachments
CVE-2018-5184 : Full plaintext recovery in S/MIME via chosen-ciphertext attack
CVE-2018-5159 : Integer overflow and out-of-bounds write in Skia
CVE-2018-5178 : Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
CVE-2018-5168 : Lightweight themes can be installed without user interaction
CVE-2018-5150 : Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
CVE-2018-5154 : Use-after-free with SVG animations and clip paths
CVE-2018-5185 : Leaking plaintext through HTML forms


Affected Packages:

thunderbird


Issue Correction:
Run yum update thunderbird to update your system.

New Packages:
src:
    thunderbird-52.8.0-1.amzn2.src

x86_64:
    thunderbird-52.8.0-1.amzn2.x86_64
    thunderbird-debuginfo-52.8.0-1.amzn2.x86_64