Mozilla releases security updates for Thunderbird that fixes one critical vulnerability, two high-level vulnerabilities, and three medium level vulnerabilities.
CVE-2018-12376: Memory corruption issue that may allow an attacker to run arbitrary code on the vulnerable machine. The Vulnerability has a critical impact.
CVE-2018-12377: Use-after-free vulnerability occurs when “refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use” and it results in a potentially exploitable crash.
CVE-2018-12379: Out-of-bounds write can be triggered when Mozilla Updater opens a MAR file format that contains a long file and it results in a potentially exploitable crash.
CVE-2017-16541: Proxy settingscan be bypassed using the automount feature with autofs to create a mount point on the local file system.
CVE-2018-12385: Potentially exploitable crash in TransportSecurityInfo used for SSL due to the data stored in the local cache.
Low Level Vulnerability
CVE-2018-12383: If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This could allow the exposure of stored password data outside of user expectations.