Gabriel Corona discovered that xdg-utils, a set of tools for desktopenvironment integration, is vulnerable to argument injection attacks. Ifthe environment variable BROWSER in the victim host has a "%s" and thevictim opens a link crafted by an attacker with xdg-open, the maliciousparty could manipulate the parameters used by the browser when opened.This manipulation could set, for example, a proxy to which the networktraffic could be intercepted for that particular execution.
More info:
https://www.debian.org/security/2018/dsa-4211
This update provides mitigations for the Spectre v4 variant in x86-basedmicro processors. On Intel CPUs this requires updated microcode whichis currently not released publicly (but your hardware vendor may haveissued an update). For servers with AMD CPUs no microcode update isneeded, please refer to https://xenbits.xen.org/xsa/advisory-263.html for further information.
More info:
https://www.debian.org/security/2018/dsa-4210
Multiple security issues have been found in Thunderbird, which may leadto the execution of arbitrary code, denial of service or attacks onencrypted emails.
More info:
https://www.debian.org/security/2018/dsa-4209
