Debian Thunderbird vulnerabilities

CVE-2019-11739 [MEDIUM] CVE-2019-11739: thunderbird - Encrypted S/MIME parts in a crafted multipart/alternative message can leak plain... Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. Scope: local bookworm: resolved (fixed in 1:60.9.0-1) bullseye: resolved (fixed in 1:60.9.0-1) forky: resolved (fixed in 1:60.9.0-1) sid: resolved (fixed in 1:60.9.0-

CVE-2019-17016 [MEDIUM] CVE-2019-17016: firefox - When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the... When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. Scope: local sid: resolved (fixed in 72.0-1)

CVE-2019-17022 [MEDIUM] CVE-2019-17022: firefox - When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the... When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer does not escape characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would resu

CVE-2019-11762 [MEDIUM] CVE-2019-11762: firefox - If two same-origin documents set document.domain differently to become cross-ori... If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Scope: local sid: resolved (fixed in 70.0-1)

CVE-2019-11698 [MEDIUM] CVE-2019-11698: firefox - If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and... If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability

CVE-2019-9793 [MEDIUM] CVE-2019-9793: firefox - A mechanism was discovered that removes some bounds checking for string, array, ... A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disa

CVE-2019-7317 [MEDIUM] CVE-2019-7317: firefox - png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free becau... png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. Scope: local sid: resolved (fixed in 67.0-2)

CVE-2019-9797 [MEDIUM] CVE-2019-9797: firefox - Cross-origin images can be read in violation of the same-origin policy by export... Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. Scope: local sid: resolved (fixed in 66.0-1)

CVE-2019-11730 [MEDIUM] CVE-2019-11730: firefox - A vulnerability exists where if a user opens a locally saved HTML file, this fil... A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination

CVE-2019-9817 [MEDIUM] CVE-2019-9817: firefox - Images from a different domain can be read using a canvas object in some circums... Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. Scope: local sid: resolved (fixed in 67.0-2)

CVE-2019-11742 [MEDIUM] CVE-2019-11742: firefox - A same-origin policy violation occurs allowing the theft of cross-origin images ... A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firef

CVE-2019-5785 [MEDIUM] CVE-2019-5785: firefox - Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 ... Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Scope: local sid: resolved (fixed in 65.0.1-1)

CVE-2019-11717 [MEDIUM] CVE-2019-11717: firefox - A vulnerability exists where the caret ("^") character is improperly escaped con... A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Scope: local sid: resolved (fixed in 68.0-1)

CVE-2019-9816 [MEDIUM] CVE-2019-9816: firefox - A possible vulnerability exists where type confusion can occur when manipulating... A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.*. This vulnerability affects Thunderbird < 60.7, Fir

CVE-2019-11715 [MEDIUM] CVE-2019-11715: firefox - Due to an error while parsing page content, it is possible for properly sanitize... Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Scope: local sid: resolved (fixed in 68.0-1)

CVE-2019-11763 [MEDIUM] CVE-2019-11763: firefox - Failure to correctly handle null bytes when processing HTML entities resulted in... Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mas

CVE-2019-11761 [MEDIUM] CVE-2019-11761: firefox - By using a form with a data URI it was possible to gain access to the privileged... By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. Scope: local sid: resolved (

CVE-2019-20503 [MEDIUM] CVE-2019-20503: chromium - usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_in... usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. Scope: local bookworm: resolved (fixed in 80.0.3987.149-1) bullseye: resolved (fixed in 80.0.3987.149-1) forky: resolved (fixed in 80.0.3987.149-1) sid: resolved (fixed in 80.0.3987.149-1) trixie: resolved (fixed in 80.0.3987.149-1)

CVE-2019-5798 [MEDIUM] CVE-2019-5798: chromium - Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 a... Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Scope: local bookworm: resolved (fixed in 73.0.3683.75-1) bullseye: resolved (fixed in 73.0.3683.75-1) forky: resolved (fixed in 73.0.3683.75-1) sid: resolved (fixed in 73.0.3683.75-1) trixie: reso

CVE-2019-9815 [HIGH] CVE-2019-9815: firefox - If hyperthreading is not disabled, a timing attack vulnerability exists, similar... If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.