CLD-408 Details
Other IDs this deficiency may be known by:
CVE ID |
None |
Other ID(s) |
Efail, fixed-in-52.8.0, mfsa2018-13 |
Basic Information:
Affected Package(s) |
thunderbird |
Deficiency Type |
SECURITY |
Date Created |
2018-05-20 16:15:25 |
Date Last Modified |
2018-05-20 22:53:51 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in thunderbird-52.8.0-i686-1 |
Cucumber 1.0 x86_64 | fixed in thunderbird-52.8.0-x86_64-1 |
Cucumber 1.1 i686 |
fixed in thunderbird-52.8.0-i686-1 |
Cucumber 1.1 x86_64 |
fixed in thunderbird-52.8.0-x86_64-1 |
Details:
This update contains many mitigations against the EFAIL attacks. For more
information about the efail attacks see https://efail.de/.
Addresses the following CVEs:
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5168: Lightweight themes can be installed without user interaction
CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extensionCVE-2018-5185: Leaking plaintext through HTML
forms
CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and
Thunderbird 52.8
For more information see:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/