The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Firefox, Thunderbird: denial of service via TransportSecurityInfo

Synthesis of the vulnerability

An attacker can generate a fatal error via TransportSecurityInfo of Firefox/Thunderbird, in order to trigger a denial of service.
Severity of this weakness: 2/4.
Creation date: 24/09/2018.
Références of this bulletin: bulletinjan2019, CERTFR-2018-AVI-451, CERTFR-2018-AVI-469, CVE-2018-12385, DLA-1575-1, DSA-4304-1, DSA-4327-1, FEDORA-2018-3eed69eedc, FEDORA-2018-5f88837c1b, FEDORA-2018-a78cf5fcfc, FEDORA-2018-d64cb04921, MFSA-2018-23, MFSA-2018-25, openSUSE-SU-2018:2817-1, openSUSE-SU-2018:3051-1, openSUSE-SU-2018:3687-1, RHSA-2018:2834-01, RHSA-2018:2835-01, RHSA-2018:3403-01, RHSA-2018:3458-01, SSA:2018-265-01, SUSE-SU-2018:3247-1, SUSE-SU-2018:3476-1, SUSE-SU-2018:3591-1, SUSE-SU-2018:3591-2, USN-3778-1, USN-3793-1, VIGILANCE-VUL-27294.

Description of the vulnerability

An attacker can generate a fatal error via TransportSecurityInfo of Firefox/Thunderbird, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

This computer weakness impacts software or systems such as Debian, Fedora, Firefox, Thunderbird, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat

Firefox: version 62.0.2.
The version 62.0.2 is fixed:
  https://www.mozilla.org/

Firefox: version 60.2.1.
The version 60.2.1 is fixed:
  https://www.mozilla.org/

Thunderbird: version 60.2.1.
The version 60.2.1 is fixed:
  https://www.thunderbird.net/fr/

Debian 8: new thunderbird packages.
New packages are available:
  Debian 8: thunderbird 1:60.3.0-1~deb8u1

Debian 9: new firefox-esr packages (24/09/2018).
New packages are available:
  Debian 9: firefox-esr 60.2.1esr-1~deb9u1

Debian 9: new thunderbird packages.
New packages are available:
  Debian 9: thunderbird 1:60.2.1-2~deb9u1

Fedora: new firefox packages.
New packages are available:
  Fedora 27: firefox 62.0.2-1.fc27
  Fedora 28: firefox 62.0.2-1.fc28

Fedora: new thunderbird packages.
New packages are available:
  Fedora 28: thunderbird 60.2.1-2.fc28
  Fedora 29: thunderbird 60.2.1-2.fc29

openSUSE Leap: new MozillaFirefox packages (24/09/2018).
New packages are available:
  openSUSE Leap 42.3: MozillaFirefox 60.2.1-112.1
  openSUSE Leap 15.0: MozillaFirefox 60.2.1-lp150.3.17.1

openSUSE Leap: new MozillaThunderbird packages (08/10/2018).
New packages are available:
  openSUSE Leap 42.3: MozillaThunderbird 60.2.1-77.2
  openSUSE Leap 15.0: MozillaThunderbird 60.2.1-lp150.3.19.1

Oracle Solaris: patch for third party software of January 2019 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

RHEL 6: new thunderbird packages.
New packages are available:
  RHEL 6: thunderbird 60.2.1-5.el6

RHEL 7.5: new thunderbird packages.
New packages are available:
  RHEL 7: thunderbird 60.2.1-4.el7_5

RHEL: new firefox packages.
New packages are available:
  RHEL 6: firefox 60.2.1-1.el6
  RHEL 7: firefox 60.2.1-1.el7_5

Slackware: new mozilla-firefox packages.
New packages are available:
  Slackware 14.2: mozilla-firefox 60.2.1esr-*-1_slack14.2

SUSE LE 12: new MozillaFirefox packages.
New packages are available:
  SUSE LE 12 RTM: MozillaFirefox 60.2.2esr-109.46.1, mozilla-nspr 4.19-19.3.1, mozilla-nss 3.36.4-58.15.3
  SUSE LE 12 SP1: MozillaFirefox 60.2.2esr-109.46.1, mozilla-nspr 4.19-19.3.1, mozilla-nss 3.36.4-58.15.3
  SUSE LE 12 SP2: MozillaFirefox 60.2.2esr-109.46.1, mozilla-nspr 4.19-19.3.1, mozilla-nss 3.36.4-58.15.3
  SUSE LE 12 SP3: MozillaFirefox 60.2.2esr-109.46.1, mozilla-nspr 4.19-19.3.1, mozilla-nss 3.36.4-58.15.3

SUSE LE 12: new MozillaThunderbird packages (09/11/2018).
New packages are available:
  SUSE LE 12 RTM-SP3: MozillaThunderbird 60.3.0-74.2

SUSE LE 12 SP4: new MozillaFirefox packages.
New packages are available:
  SUSE LE 12 SP4: MozillaFirefox 60.2.2esr-109.46.1, mozilla-nspr 4.19-19.3.1, mozilla-nss 3.36.4-58.15.3

SUSE LE 15: new MozillaFirefox packages (26/10/2018).
New packages are available:
  SUSE LE 15 RTM: MozillaFirefox 60.2.2-3.13.3

SUSE LE 15: new MozillaThunderbird packages.
New packages are available:
  SUSE LE 15 RTM: MozillaThunderbird 60.2.1-3.13.1

Ubuntu: new firefox packages.
New packages are available:
  Ubuntu 18.04 LTS: firefox 62.0.3+build1-0ubuntu0.18.04.1
  Ubuntu 16.04 LTS: firefox 62.0.3+build1-0ubuntu0.16.04.2
  Ubuntu 14.04 LTS: firefox 62.0.3+build1-0ubuntu0.14.04.2

Ubuntu: new thunderbird packages.
New packages are available:
  Ubuntu 18.04 LTS: thunderbird 1:60.2.1+build1-0ubuntu0.18.04.2
  Ubuntu 16.04 LTS: thunderbird 1:60.2.1+build1-0ubuntu0.16.04.4
  Ubuntu 14.04 LTS: thunderbird 1:60.2.1+build1-0ubuntu0.14.04.2
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides cybersecurity announces. The technology watch team tracks security threats targeting the computer system.