ALAS2-2019-1229

References: CVE-2018-18511  CVE-2019-11691  CVE-2019-11692  CVE-2019-11693  CVE-2019-11698  CVE-2019-5798  CVE-2019-7317  CVE-2019-9797  CVE-2019-9800  CVE-2019-9817  CVE-2019-9819  CVE-2019-9820 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Mozilla: Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693)

Mozilla: Use-after-free in XMLHttpRequest (CVE-2019-11691)

Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. (CVE-2019-9797)

Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 (CVE-2019-9800)

Mozilla: Use-after-free removing listeners in the event listener manager (CVE-2019-11692)

Mozilla: Use-after-free of ChromeEventHandler by DocShell (CVE-2019-9820)

Mozilla: Compartment mismatch with fetch API (CVE-2019-9819)

Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (CVE-2019-5798)

Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks (CVE-2019-11698)

png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute. (CVE-2019-9817)

libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. *Note: This only affects Firefox 65. Previous versions are unaffected.*. This vulnerability affects Firefox < 65.0.1. (CVE-2018-18511)

Issue Correction:
Run yum update thunderbird to update your system.

New Packages:

src:
    thunderbird-60.7.0-1.amzn2.0.1.src

x86_64:
    thunderbird-60.7.0-1.amzn2.0.1.x86_64
    thunderbird-debuginfo-60.7.0-1.amzn2.0.1.x86_64