[German]Mozilla’s developers released an update of the email client Thunderbird to version 60.7 on May 21, 2019. This is a maintenance update which closes critical security gaps. Here is some information about it.
German blog reader MCG mentioned within this comment (thanks). I checked it on my system. The update was detected during an update search on the Thunderbird Portable and installed without complaint.
The changes can be found in the release notes. The new version no longer focuses on the attachment area of a window of a new mail when files are attached to the mail using a keyboard shortcut. In addition, the following vulnerabilities, some of which are rated ‘high’, will be removed from this security advisory.
- CVE-2019-9816: Type confusion with object groups and UnboxedObjects
- CVE-2019-9817: Stealing of cross-domain images using canvas
- CVE-2019-9818: Use-after-free in crash generation server
- CVE-2019-9819: Compartment mismatch with fetch API
- CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
- CVE-2019-11691: Use-after-free in XMLHttpRequest
- CVE-2019-11692: Use-after-free removing listeners in the event listener manager
- CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
- CVE-2019-7317: Use-after-free in png_image_free of libpng library
- CVE-2019-9797: Cross-origin theft of images with createImageBitmap
- CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
- CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
- CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
- CVE-2019-5798: Out-of-bounds read in Skia
- CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7
Thunderbird is available for Window: Windows 7, Windows Server 2008 R2 or later, macOS 10.9 or later and Linux: GTK+ 3.4 or later (see).