{"id":"MGASA-2020-0378","summary":"Updated Thunderbird packages fix security vulnerabilities","details":"AppCache manifest poisoning due to url encoded character processing\n(CVE-2020-12415).\n\nUse-after-free in WebRTC VideoBroadcaster (CVE-2020-12416).\n\nInteger overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422).\n\nWebRTC permission prompt could have been bypassed by a compromised content\nprocess (CVE-2020-12424).\n\nOut of bound read in Date.parse() (CVE-2020-12425).\n\nMemory safety bugs fixed in Thunderbird 78 (CVE-2020-12426).\n\nX-Frame-Options bypass using object or embed tags (CVE-2020-15648).\n\nMemory safety bugs fixed in Thunderbird 78.3 (CVE-2020-15673).\n\nXSS when pasting attacker-controlled data into a contenteditable element\n(CVE-2020-15676).\n\nDownload origin spoofing via redirect (CVE-2020-15677).\n\nWhen recursing through layers while scrolling, an iterator may have become\ninvalid, resulting in a potential use-after-free scenario (CVE-2020-15678).\n\nNote that Enigmail will no longer let you manage your PGP keys, but\ninstead will only provide a migration tool. Thunderbird will no longer use\nthe system keyring and GnuPG; instead, it will handle PGP keys internally.\n\nTo use your existing PGP keys with Thunderbird 78 and above, you must use the\nmigration tool from Enigmail upon the first Thunderbird run.\nSee the migration notes on the Mageia wiki.\n\nAlso note that, to protect your keys, you should define a master password\nin Thunderbird.\n","modified":"2026-04-16T00:09:39.092776180Z","published":"2020-09-30T10:01:40Z","upstream":["CVE-2020-12415","CVE-2020-12416","CVE-2020-12422","CVE-2020-12424","CVE-2020-12425","CVE-2020-12426","CVE-2020-15648","CVE-2020-15673","CVE-2020-15676","CVE-2020-15677","CVE-2020-15678"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0378.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26965"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.0.1/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.1.1/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/78.3.1/releasenotes/"},{"type":"WEB","url":"https://wiki.mageia.org/en/Migration_from_Thunderbird_68_and_Enigmail_to_Thunderbird_78"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.3.1-3.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0378.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.3.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0378.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}