Bug 1084603 - Thunderbird doesn't save settings about remote content in mails
Thunderbird doesn't save settings about remote content in mails
Status: RESOLVED FIXED
: 1095686 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Firefox
Leap 42.3
x86-64 openSUSE 42.3
: P5 - None : Normal with 13 votes (vote)
: ---
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-09 07:41 UTC by Frank Steiner
Modified: 2019-02-19 07:08 UTC (History)
13 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Steiner 2018-03-09 07:41:54 UTC
The bug occurs with the MozillaThunderbird-52.6-56.2 on opensuse leap 42.3 (and all variants of 52.6 for SLE, Tumbleweed etc.).

Start thunderbird with a fresh profile. You don't need to create any account, just open the preferences, go to Preferences -> Privacy. "Allow remote content in messages" should be unchecked. Click on "Exceptions" and enter some domain, press on "Allow", so that it appears in the list of sites, and "save Changes". Close Thunderbird and restart, go to the same dialog again. The entry is gone.

This does work with the vanilla 52.6 downloaded from mozilla.org, so it must be sth. that happens during the configure/build phase of the SuSE rpm.

Comparing strace logs one can see that the vanilla version writes and reads permissions.sqlite for those settings, while the SuSE binary doesn't even try to access this file (there is no occurrence in the whole strace log). See also the report on mozilla.org: https://bugzilla.mozilla.org/show_bug.cgi?id=1436947

cu,
Frank
Comment 1 Ronnie Bailey 2018-03-13 14:05:49 UTC
  I can confirm this bug as I originally reported it on Mozilla's bugzilla. 
  The folks at Mozilla cannot confirm the bug on other flavors of Linux nor on Windows. The bug only seems to exist on various versions of SuSE products. 
   I use Tumbleweed. I have ended up allowing all remote content to be allowed in Thunderbird for now, but of course that is never a good idea.
Comment 2 Helmut Walle 2018-03-18 02:05:59 UTC
Same here - OpenSUSE LEAP 42.3, and
 
MozillaThunderbird-52.6-1.4.x86_64
MozillaFirefox-59.0.1-3.1.x86_64

both from the Mozilla repo for 42.3.
Comment 3 Frank Krüger 2018-03-18 06:42:46 UTC
I can confirm the above-mentioned issue with current Leap 15.0 (build 164.1), with and without the Mozilla repo enabled.
Comment 4 Helmut Walle 2018-04-07 01:22:30 UTC
A further experiment:

1. download TB from Mozilla for Linux 64-bit, from here
https://www.mozilla.org/en-US/thunderbird/all/
2. Unpack and run that TB version (52.7.0 at the time of this writing).
3. Look into remote content preferences - all of my old preferences are still there! (And that is after the SUSE build from the Mozilla repo fails to see them, and setting them new there does not lead to any stored settings on exiting TB.)
Comment 5 Wolfgang Rosenauer 2018-04-07 07:32:38 UTC
From the descriptions here I have no idea really why our package should behave differently.
Just one question to be sure: Are you running under KDE or any other desktop?
Comment 6 Ronnie Bailey 2018-04-07 07:54:18 UTC
I'm running under KDE Plasma, but I believe the behavior is the same even if I login to an LXDE session.
Comment 7 Ronnie Bailey 2018-04-07 08:00:24 UTC
Running Thunderbird 52.7-1.7 from the Tumbleweed Mozilla repo and the behavior hasn't changed. I add exception; save; close and reopen Thunderbird, and the exceptions are no longer there.
Comment 8 Frank Krüger 2018-04-07 08:15:53 UTC
Where does Thunderbird save the information on "Allow remote content"? Are these permissions.sqlite and content-prefs.sqlite? Maybe they are never touched/changed.
Comment 9 Ronnie Bailey 2018-04-07 08:21:08 UTC
  I can also confirm that the problem is not limited to Plasma. I am currently in an LXDE session and have duplicated the results. 
  I add the exceptions using the button located in the warning banner at the top of the message body. I then open preferences to verify that they were added. After confirmation, I hit "save changes" and close preferences. After closing and restarting Thunderbird, there are no exceptions in the info box.
Comment 10 IB Board 2018-04-07 09:05:44 UTC
I'm seeing this on Gnome on Tumbleweed. I've not checked the databases.
Comment 11 Frank Steiner 2018-04-07 10:30:16 UTC
I'm running ctwm, so the WM is definitely not involved.

@comment #8: it's permissions.sqlite, and as I wrote the initial report: looking at the strace output you can see that the SuSE TB isn't even trying to read/write this file. It doesn't show up in the whole strace log, in contrast to the mozilla TB version. So the problem first happens when hitting the Save button. It seems that the button doesn't cause any action.
Comment 12 Helmut Walle 2018-04-07 10:49:09 UTC
(In reply to Frank Steiner from comment #11)
> I'm running ctwm, so the WM is definitely not involved.
> 
> @comment #8: it's permissions.sqlite, and as I wrote the initial report:
> looking at the strace output you can see that the SuSE TB isn't even trying
> to read/write this file. It doesn't show up in the whole strace log, in
> contrast to the mozilla TB version. So the problem first happens when
> hitting the Save button. It seems that the button doesn't cause any action.

Yes, that is consistent with my observations, too. The original TB 52.7.0 Linux 64-bit build from Mozilla.org (not the SUSE Mozilla repo!) does everything right and stores the remote content exceptions in permissions.sqlite, but the SUSE builds (from both the Mozilla repo, and the "normal" Leap repos) don't even try to touch the file.
Comment 13 Helmut Walle 2018-04-07 10:55:07 UTC
There is a further observation: even though a valid permissions.sqlite file is there (as demonstrated by the TB build from Mozilla.org, and it can also be read without problems with sqlitebrowser for example), TB on SUSE does not only not store new exceptions, but it also fails to read the existing exceptions from permissions.sqlite - opening the preferences dialogue shows an empty exceptions list.

File permissions are
-rw-r--r-- permissions.sqlite
Comment 14 Frank Krüger 2018-04-07 13:32:43 UTC
(In reply to Helmut Walle from comment #13)
> There is a further observation: even though a valid permissions.sqlite file
> is there (as demonstrated by the TB build from Mozilla.org, and it can also
> be read without problems with sqlitebrowser for example), TB on SUSE does
> not only not store new exceptions, but it also fails to read the existing
> exceptions from permissions.sqlite - opening the preferences dialogue shows
> an empty exceptions list.
> 
> File permissions are
> -rw-r--r-- permissions.sqlite

On current TW and Leap 15.0 I have
-rw------- permissions.sqlite
Comment 15 Ronnie Bailey 2018-04-07 18:30:42 UTC
On my Tumbleweed machine, permissions.sqlite has not been written to since Feb 6 of this year. I use Thunderbird multiple times every day. I am assuming that an update on or after Feb 6 is where the problem started. I'll look at the changelogs via Yast, but I don't know if they will give much info. I update my system each time I boot, so the date mentioned should be quite close.
Comment 16 IB Board 2018-04-07 18:37:27 UTC
I see 10th Feb as the last modified date.

Implies something changed with v52.6 on 30th January (https://build.opensuse.org/package/revisions/openSUSE:Factory/MozillaThunderbird#commit_item_188) since the next commit is 18th February?
Comment 17 Frank Krüger 2018-04-07 20:16:22 UTC
(In reply to IB Board from comment #16)
> I see 10th Feb as the last modified date.
> 
> Implies something changed with v52.6 on 30th January
> (https://build.opensuse.org/package/revisions/openSUSE:Factory/
> MozillaThunderbird#commit_item_188) since the next commit is 18th February?

I have tested TB 52.0 dated 25 Aug 2017 from the openSUSE Mozilla Beta repo for Tumbleweed (https://download.opensuse.org/repositories/mozilla:/beta/openSUSE_Tumbleweed), getting the same issue as decribed here.
Comment 18 Manfred Härtel 2018-05-14 09:54:15 UTC
I have the same problem in Seamonkey 2.46 under OpenSuse Leap 42.3 (using the usual repositories).

I am quite sure that the problem started a few days ago when an update for the mozilla-nss and mozilla-nspr packages came. I think the mozilla-nspr package is the one to blame.

While investigating the problem I found out the strange fact, that deleting prefs.js causes permissions.sqlite to be read once during the next start (but not subsequently).
Comment 19 Manfred Härtel 2018-05-14 15:32:39 UTC
Even more strange: It is sufficient to remove exactly two preferences before starting seamonkey: browser.places.smartBookmarksVersion and extensions.databaseSchema . If I do this, permissions.sqlite is read normally and everything works. I must admit, that I do not understand why this works.
Comment 20 Ronnie Bailey 2018-05-14 16:00:12 UTC
  Does this act as a persistent workaround, or does it only work a single time, as deleting prefs.js did in your previous comment?
Comment 21 Manfred Härtel 2018-05-14 18:14:58 UTC
No, I have to delete the entries *every* time before starting Seamonkey...
Comment 22 Manfred Härtel 2018-05-15 17:48:31 UTC
This is getting stranger all the time: While removing the both preferences works for a test user, it does *not* work for the user on my system which I use for surfing, which has a much larger prefs.js . I have no idea how this all fits together.
Comment 23 Ronnie Bailey 2018-05-16 06:53:57 UTC
  The fact that this seems to affect both Thunderbird and Seamonkey seems to support your idea that the problem is with a Mozilla support package such as nss or nspr rather than the actual program packages.
Comment 24 IB Board 2018-05-16 18:25:30 UTC
The odd thing with attributing it to mozilla-nss/nspr is that my database was last modified on the 10th Feb, but /var/log/zypp/history says that mozilla-nss was updated on the 24th January and mozilla-nspr was on the 17th January! Meanwhile I installed Thunderbird 52.6-1.1 on 7th Feb.

Given that I use my computers most days and shut it down every night then that's quite a gap between install date and last modification when it would have been running with a supposedly "broken" library (at least on my system).
Comment 25 IB Board 2018-05-16 18:30:02 UTC
And just to cross off a potential cause: I just found this problem (https://support.mozilla.org/en-US/questions/1165994) and disabled all addons and restarted TB, but I still get the broken "remote content" behaviour.
Comment 26 IB Board 2018-05-16 18:37:55 UTC
Also, TB 52.0 from Mozilla:beta (https://build.opensuse.org/package/binaries/mozilla:beta/thunderbird/openSUSE_Tumbleweed) has horribly broken rendering *and* doesn't fix the problem.
Comment 27 Ronnie Bailey 2018-05-17 05:26:11 UTC
    I'm up to Thunderbird-52.7.0 (64 bit) and the problem persists. My "prefs.sqlite" file has still not been modified since Feb, 06 of this year, as was true in my post from April.
Comment 28 Manfred Härtel 2018-05-19 05:22:00 UTC
I made some additional tests to see if the problem really comes from mozilla-nspr.

So I downloaded the NSPR package from the Mozilla server, which, for sure, has no Opensuse specific patches, and compiled it by myself. The problem persists.

Then I thought of a compiler bug. So I compiled NSPR using clang rather than gcc. The problem persists.

So has it really to do with NSPR? The only evidence that I have is that it started on the day when an mozilla-nspr update was received.
Comment 29 Frank Krüger 2018-05-19 09:58:41 UTC
FYI, update to Thunderbird 52.8 from the openSUSE Mozilla repo does not solve the issue described here. Finding the culprit seems like looking for a needle in a haystack.
Comment 30 Wolfgang Rosenauer 2018-05-19 10:41:23 UTC
We'll soon have Thunderbird 60 candidate builds. If it's indeed caused by something around NSPR or NSS there is a chance that it's fixed with the new version.
Comment 31 Wolfgang Rosenauer 2018-05-24 09:40:33 UTC
I can confirm that it's related to NSPR or NSS. I've built a test package with NSPR and NSS included in tree (which are older versions than what we ship as system libs).
This package will also appear in OBS mozilla:experimental if people want to try.

I'm 95% sure that it is NSS and will try that out still.

My assumption for the moment is that
- update to TB 60 will fix the issue once it arrives
- NSPR or NSS is not as backward compatible as it is meant to be and I'll
  discuss with upstream developers as soon as I have a pointer to the 
  definitive library.
Comment 32 Wolfgang Rosenauer 2018-05-24 12:06:12 UTC
So according to my testing it's really mozilla-nss which most likely is causing the issue. Will see if we can find a solution before we are going to TB60 anyway.
Comment 33 Wolfgang Rosenauer 2018-05-24 13:01:35 UTC
There is one more possibility: libsqlite

mozilla-nss requires and loads the system lib libsqlite3.so while Thunderbird ships its own libmozsqlite3.so. While the lib name is different the symbols are the same. So it's pretty much unpredictable which function is used in the TB process.

TB52 has 3.17.0 while Leap 42.3 has 3.8.10.2.

Firefox has the same actually but I have no similar bugreports for that one though.
Therefore this is still something like a guess but I will do some further testing.
Comment 34 Wolfgang Rosenauer 2018-05-24 19:32:54 UTC
I did a bit more tests.

My current conclusion is that the libsqlite pulled in by NSS and conflicting with the built-in sqlite in Thunderbird.

The problem(s):
- on 42.3 the system sqlite3 is too old and TB refuses to compile with it
  therefore I see no way in being able to streamline the versions
- on 15.0 and TW I could build TB with system sqlite at the moment which fixes
  the issue. Still this has some risk as sqlite breakage is not obvious so
  we might run into issues later

What I do not really understand is why Fedora seems unaffected while they seem to use the same compile time options when it comes to sqlite in relation with NSS and Thunderbird.
Comment 35 Frank Krüger 2018-05-24 19:56:09 UTC
(In reply to Wolfgang Rosenauer from comment #34)
> I did a bit more tests.
> 
> My current conclusion is that the libsqlite pulled in by NSS and conflicting
> with the built-in sqlite in Thunderbird.
> 
> The problem(s):
> - on 42.3 the system sqlite3 is too old and TB refuses to compile with it
>   therefore I see no way in being able to streamline the versions
> - on 15.0 and TW I could build TB with system sqlite at the moment which
> fixes
>   the issue. Still this has some risk as sqlite breakage is not obvious so
>   we might run into issues later
> 
> What I do not really understand is why Fedora seems unaffected while they
> seem to use the same compile time options when it comes to sqlite in
> relation with NSS and Thunderbird.

Who says that Fedora is not affected? Unfortunately, I do not have it installed, but maybe someone else could check for the above issue within Fedora.
Comment 36 Wolfgang Rosenauer 2018-05-25 06:30:07 UTC
(In reply to Frank Kruger from comment #35)
> Who says that Fedora is not affected? Unfortunately, I do not have it
> installed, but maybe someone else could check for the above issue within
> Fedora.

Nobody here. But looking at Google I haven't seen reports which indicate that another flavour is affected.
If somebody has easy access (aka installed) Fedora or Ubuntu I would be curious to know.
Comment 37 Andrei Borzenkov 2018-05-26 05:17:49 UTC
(In reply to Wolfgang Rosenauer from comment #36)
> If somebody has easy access (aka installed) Fedora or Ubuntu I would be
> curious to know.

I do not see this problem on up-to-date Ubuntu 16.04 (thunderbird 52.8.0+build1-0ubuntu0.16.04.1 )
Comment 38 Manfred Härtel 2018-05-29 05:00:08 UTC
Thanks to Wolfgang for investigating the problem.

Yesterday I upgraded my system to OpenSuse 15.0, and the problem still persists in Seamonkey (version 2.49.1 from the OpenSuse repositories).
Comment 39 Andreas Stieger 2018-06-04 06:36:21 UTC
*** Bug 1095686 has been marked as a duplicate of this bug. ***
Comment 40 Andreas Stieger 2018-06-04 06:37:10 UTC
Another report hit where TB forgot a different setting.
Seems to be SLE/openSUSE specific:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465830
Comment 41 Nicholas Harvey 2018-06-04 08:12:17 UTC
For information I can confirm my bug (relating to "Use Paragraph format instead of Body Text by default") does not exist in Fedora 28 nor Ubuntu 18.04 using the same version of Thunderbird, so this does seem to be SUSE specific.
Comment 42 Nicholas Harvey 2018-06-04 14:08:22 UTC
Another observation having just inadvertently 'fixed' my issue relating to the lack of persistence of the paragraph settings:

I just downloaded TB 60 Beta 4 from Mozilla's web site:

https://www.thunderbird.net/en-US/channel/

I unpacked it, and in the terminal CD'd to the new directory and launched TB 60 by typing "./thunderbird'.

This loaded TB 60 and imported my settings automatically. I quit, and re-launched TB 52.8.0 and now observe that when I change the paragraph setting, quit & relaunch TB, it now remembers the setting correctly.

So for me it seems the action of launching TB 60 has somehow solved the issue I have on TB 52.8.0. OK, not a permanent fix, but hopefully useful information. The plot thickens...!
Comment 43 IB Board 2018-06-04 19:19:06 UTC
(In reply to Nicholas Harvey from comment #42)
> …
> So for me it seems the action of launching TB 60 has somehow solved the
> issue I have on TB 52.8.0. OK, not a permanent fix, but hopefully useful
> information. The plot thickens...!

Can't confirm that fix here, unfortunately.

Downloaded TB60 from Mozilla. Ran it. Remote images appeared (which is known - vanilla Mozilla builds aren't affected). Quit. Ran stock Thunderbird from Tumbleweed (MozillaThunderbird-52.8-1.1.x86_64) and the images didn't show. Enabled the remote content domains, restarted Thunderbird, images still didn't show.

I even tried after enabling a new domain in TB60, in case it triggered a change that fixed something. No luck.

The plot thickens further!
Comment 44 Eric Benton 2018-07-11 22:48:38 UTC
Any movement on this bug? 
I see it is marked as NEEDINFO but i don't see any request from anyone for info. Is that flag erroneous?
I'm using Leap 42.3 with TB "52.9.0-68.1-x86_64 from vendor OpenSUSE" (according to Yast) and my remote content exceptions disappear every time TB is restarted.
Comment 45 Wolfgang Rosenauer 2018-07-12 04:44:43 UTC
I still have a bit of the suspicion that it might be related to the crypto library NSS.
Stock Thunderbird comes with a quite old one and on openSUSE we use a much more recent one to satisfy Firefox dependencies. I would not expect such an issue resulting from that because that library is meant to be mainly ABI compatible.
As upstream is just about to release version 60 of Thunderbird my hope is that this issue goes away with that version to match Firefox 60esr.

I should have first candidate packages for Thunderbird 60 within the next week or so to see how it behaves.
Comment 46 Arun Persaud 2018-07-23 14:59:41 UTC
Same issue here on Tumbleweed (running i3)

thunderbird:
Name        : MozillaThunderbird
Version     : 52.9.1
Release     : 1.2
Architecture: x86_64

os-release:
NAME="openSUSE Tumbleweed"
# VERSION="20180720"

database:
-rw-r--r-- 1 arun users     22528 Jan 30 08:38 permissions.sqlite

looking at the database directly shows that the exceptions are still stored there, but nothing shows up in Thunderbird. Any exceptions I add don't survive a restart.
Comment 47 Wolfgang Rosenauer 2018-08-06 13:56:16 UTC
Please everyone check out Thunderbird 60 as provided from the mozilla repo.
Unless I did something wrong in testing this should apparently fix that issue. Please report back here.
Comment 48 Nicholas Harvey 2018-08-06 14:06:51 UTC
Hi Wolfgang. For my reported scenario I am now able to change the paragraph style settings and these are remembered correctly when I quit and re-launch Thunderbird 60. Many thanks! Nick.
Comment 49 Wytze van der Raay 2018-08-06 15:07:14 UTC
MozillaThunderbird-60.0-lp150.8.1.x86_64 resolves the issue for me. Thanks!
Comment 50 Frank Krüger 2018-08-06 18:10:21 UTC
(In reply to Wolfgang Rosenauer from comment #47)
> Please everyone check out Thunderbird 60 as provided from the mozilla repo.
> Unless I did something wrong in testing this should apparently fix that
> issue. Please report back here.

The issue is fixed for me as well. I appreciate it.
Comment 51 IB Board 2018-08-06 18:52:48 UTC
Installed MozillaThunderbird-60.0-8.2.x86_64 from https://build.opensuse.org/package/show/mozilla/thunderbird60 on Tumbleweed. Restarted Thunderbird, opened an email with images that I'd previously whitelisted and it loaded them correctly. Opened an email with non-whitelisted images and it still blocked them.

Seems to be good here.
Comment 52 Swamp Workflow Management 2018-08-07 07:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1084603) was mentioned in
https://build.opensuse.org/request/show/627801 Factory / MozillaThunderbird
Comment 53 Manfred Härtel 2018-08-07 12:44:12 UTC
Can we expect the same issue in Seamonkey to be fixed as well?
Comment 54 Swamp Workflow Management 2018-08-27 16:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1084603) was mentioned in
https://build.opensuse.org/request/show/631833 Factory / MozillaThunderbird
Comment 56 Swamp Workflow Management 2018-09-03 21:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1084603) was mentioned in
https://build.opensuse.org/request/show/632920 15.0+42.3+Backports:SLE-12 / MozillaThunderbird
Comment 57 Andreas Stieger 2018-09-08 07:08:17 UTC
Releasing Thunderbird 60 for Leap, done
Comment 58 Swamp Workflow Management 2018-09-08 10:10:40 UTC
openSUSE-SU-2018:2658-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1084603,1098998
CVE References: CVE-2018-12359,CVE-2018-12360,CVE-2018-12361,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12367,CVE-2018-12371,CVE-2018-5156,CVE-2018-5187,CVE-2018-5188
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-60.0-74.1
openSUSE Leap 15.0 (src):    MozillaThunderbird-60.0-lp150.3.14.1
Comment 61 Swamp Workflow Management 2018-10-06 16:08:15 UTC
openSUSE-SU-2018:3051-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1066489,1084603,1098998,1107343,1107772,1109363,1109379
CVE References: CVE-2017-16541,CVE-2018-12359,CVE-2018-12360,CVE-2018-12361,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12367,CVE-2018-12371,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12383,CVE-2018-12385,CVE-2018-16541,CVE-2018-5156,CVE-2018-5187,CVE-2018-5188
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-60.2.1-77.2
openSUSE Leap 15.0 (src):    MozillaThunderbird-60.2.1-lp150.3.19.1
Comment 62 Swamp Workflow Management 2018-10-19 16:24:57 UTC
SUSE-SU-2018:3247-1: An update that fixes 19 vulnerabilities is now available.

Category: security (important)
Bug References: 1066489,1084603,1098998,1107343,1107772,1109363,1109379
CVE References: CVE-2017-16541,CVE-2018-12359,CVE-2018-12360,CVE-2018-12361,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12367,CVE-2018-12371,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12383,CVE-2018-12385,CVE-2018-5156,CVE-2018-5187,CVE-2018-5188
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-60.2.1-3.13.1
Comment 63 Swamp Workflow Management 2018-11-09 14:09:51 UTC
openSUSE-SU-2018:3687-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 1066489,1084603,1098998,1107343,1107772,1109363,1109379,1112852
CVE References: CVE-2017-16541,CVE-2018-12359,CVE-2018-12360,CVE-2018-12361,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12367,CVE-2018-12371,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12383,CVE-2018-12385,CVE-2018-12389,CVE-2018-12390,CVE-2018-12391,CVE-2018-12392,CVE-2018-12393,CVE-2018-16541,CVE-2018-5156,CVE-2018-5187,CVE-2018-5188
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-60.3.0-74.2