Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1495-1 Final 1 1 2019-06-14T11:52:19Z current 2019-06-14T11:52:19Z 2019-06-14T11:52:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following security issues: - CVE-2019-11703: Fixed a heap-based buffer overflow in icalmemorystrdupanddequote() (bsc#1137595). - CVE-2019-11704: Fixed a heap-based buffer overflow in parser_get_next_char() (bsc#1137595). - CVE-2019-11705: Fixed a stack-based buffer overflow in icalrecur_add_bydayrules() (bsc#1137595). - CVE-2019-11706: Fixed a type confusion in icaltimezone_get_vtimezone_properties() (bsc#1137595). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-1495,SUSE-SLE-Product-WE-15-2019-1495,SUSE-SLE-Product-WE-15-SP1-2019-1495 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191495-1/ Link for SUSE-SU-2019:1495-1 https://lists.suse.com/pipermail/sle-security-updates/2019-June/005558.html E-Mail link for SUSE-SU-2019:1495-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1137595 SUSE Bug 1137595 https://www.suse.com/security/cve/CVE-2019-11703/ SUSE CVE CVE-2019-11703 page https://www.suse.com/security/cve/CVE-2019-11704/ SUSE CVE CVE-2019-11704 page https://www.suse.com/security/cve/CVE-2019-11705/ SUSE CVE CVE-2019-11705 page https://www.suse.com/security/cve/CVE-2019-11706/ SUSE CVE CVE-2019-11706 page SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1 MozillaThunderbird-60.7.0-3.36.1 MozillaThunderbird-buildsymbols-60.7.0-3.36.1 MozillaThunderbird-translations-common-60.7.0-3.36.1 MozillaThunderbird-translations-other-60.7.0-3.36.1 MozillaThunderbird-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 MozillaThunderbird-translations-common-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 MozillaThunderbird-translations-other-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 MozillaThunderbird-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP1 MozillaThunderbird-translations-common-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP1 MozillaThunderbird-translations-other-60.7.0-3.36.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP1 A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11703 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-other-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-other-60.7.0-3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191495-1/ https://www.suse.com/security/cve/CVE-2019-11703.html CVE-2019-11703 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11704 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-other-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-other-60.7.0-3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191495-1/ https://www.suse.com/security/cve/CVE-2019-11704.html CVE-2019-11704 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11705 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-other-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-other-60.7.0-3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191495-1/ https://www.suse.com/security/cve/CVE-2019-11705.html CVE-2019-11705 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11706 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15 SP1:MozillaThunderbird-translations-other-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-common-60.7.0-3.36.1 SUSE Linux Enterprise Workstation Extension 15:MozillaThunderbird-translations-other-60.7.0-3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191495-1/ https://www.suse.com/security/cve/CVE-2019-11706.html CVE-2019-11706 https://bugzilla.suse.com/1137595 SUSE Bug 1137595