[German]Mozilla developers have released version 52.6.0 of the Thunderbird email client. Thunderbird users should update promptly as the client is vulnerable to multiple vulnerabilities.
Advertising
I just got the update request to Thunderbird to version 52.6.0 a day ago, see the following screen shot.
According to the release notes the mail client is available for
• Window: Windows XP, Windows Server 2003 or later
• Mac: Mac OS X 10.9 or later
• Linux: GTK+ 3.4 or higher
Critical security vulnerabilities closed
This Advisory lists several critical vulnerabilities, that has been closed in Thunderbird Version 52.6.0:
Advertising
- CVE-2018-5095: Integer overflow in Skia library during edge builder allocation,
- CVE-2018-5096: Use-after-free while editing form elements
- CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
- CVE-2018-5098: Use-after-free while manipulating form input elements
- CVE-2018-5099: Use-after-free with widget listener
- CVE-2018-5102: Use-after-free in HTML media elements
- CVE-2018-5103: Use-after-free during mouse event handling
- CVE-2018-5104: Use-after-free during font face manipulation
- CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
- CVE-2018-5103: Use-after-free during mouse event handling
- CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6
Generally, however, these vulnerabilities cannot be exploited by email in the Thunderbird product because scripts are disabled when reading email. However, these vulnerabilities are potentially risky in browser or browser-like contexts.
Other fixes
The changelog enlists the following additional fixes.
-
Searching message bodies of messages in local folders, including filter and quick filter operations, not working reliably: Content not found in base64-encode message parts, non-ASCII text not found and false positives found.
-
Defective messages (without at least one expected header) not shown in IMAP folders but shown on mobile devices.
-
Calendar: Unintended task deletion if numlock is enable.
I updated my Thunderbird portable without issues.
