Amazon Linux 2 Security Advisory: ALAS-2018-1032
Advisory Release Date: 2018-06-07 23:30 Pacific
Advisory Updated Date: 2018-06-11 22:07 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
The following CVEs are fixed in the updated thunderbird package:
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
CVE-2018-5168: Lightweight themes can be installed without user interaction
CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5185: Leaking plaintext through HTML forms
Affected Packages:
thunderbird
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update thunderbird to update your system.
src:
thunderbird-52.8.0-1.amzn2.src
x86_64:
thunderbird-52.8.0-1.amzn2.x86_64
thunderbird-debuginfo-52.8.0-1.amzn2.x86_64