diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes
index a2a4f81..8f66a1f 100644
--- a/MozillaThunderbird.changes
+++ b/MozillaThunderbird.changes
@@ -2,6 +2,32 @@
 Mon Jul  2 12:36:32 UTC 2018 - wr@rosenauer.org
 
 - update to Thunderbird 52.9 (bsc#1098998)
+  MFSA 2018-16 (bsc#1098998)
+  * CVE-2018-12359 (bmo#1459162)
+    Buffer overflow using computed size of canvas element
+  * CVE-2018-12360 (bmo#1459693)
+    Use-after-free when using focus()
+  * CVE-2018-12372 (bmo#1419417)
+    S/MIME and PGP decryption oracles can be built with HTML emails
+  * CVE-2018-12373 (bmo#1464667, bmo#1464056)
+    S/MIME plaintext can be leaked through HTML reply/forward
+  * CVE-2018-12362 (bmo#1452375)
+    Integer overflow in SSSE3 scaler
+  * CVE-2018-12363 (bmo#1464784)
+    Use-after-free when appending DOM nodes
+  * CVE-2018-12364 (bmo#1436241)
+    CSRF attacks through 307 redirects and NPAPI plugins
+  * CVE-2018-12365 (bmo#1459206)
+    Compromised IPC child process can list local filenames
+  * CVE-2018-12366 (bmo#1464039)
+    Invalid data handling during QCMS transformations
+  * CVE-2018-12374 (bmo#1462910)
+    Using form to exfiltrate encrypted mail part by pressing enter in form field
+  * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
+    bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
+    bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
+    bmo#1464079,bmo#1463494,bmo#1458048)
+    Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
 - correct requires and provides handling (boo#1076907)
 - reduce memory footprint with %ix86 at linking time via additional
   compiler flags (boo#1091376)