openSUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:0687-1 Rating: moderate References: #1028391 Cross-References: CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update to Mozilla Thunderbird 45.8.0 fixes security issues and bugs. The following security issues from advisory MFSA 2017-07 were fixed. (boo#1028391) In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts: - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP - CVE-2017-5401: Memory Corruption when handling ErrorResult - CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) - CVE-2017-5404: Use-after-free working with ranges in selections - CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters - CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping - CVE-2017-5408: Cross-origin reading of video captions in violation of CORS - CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) - CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 The following non-security issues were fixed: - crash when viewing certain IMAP messages Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-345=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-345=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): MozillaThunderbird-45.8.0-39.1 MozillaThunderbird-buildsymbols-45.8.0-39.1 MozillaThunderbird-debuginfo-45.8.0-39.1 MozillaThunderbird-debugsource-45.8.0-39.1 MozillaThunderbird-devel-45.8.0-39.1 MozillaThunderbird-translations-common-45.8.0-39.1 MozillaThunderbird-translations-other-45.8.0-39.1 - openSUSE Leap 42.1 (i586 x86_64): MozillaThunderbird-45.8.0-39.1 MozillaThunderbird-buildsymbols-45.8.0-39.1 MozillaThunderbird-debuginfo-45.8.0-39.1 MozillaThunderbird-debugsource-45.8.0-39.1 MozillaThunderbird-devel-45.8.0-39.1 MozillaThunderbird-translations-common-45.8.0-39.1 MozillaThunderbird-translations-other-45.8.0-39.1 References: https://www.suse.com/security/cve/CVE-2017-5398.html https://www.suse.com/security/cve/CVE-2017-5400.html https://www.suse.com/security/cve/CVE-2017-5401.html https://www.suse.com/security/cve/CVE-2017-5402.html https://www.suse.com/security/cve/CVE-2017-5404.html https://www.suse.com/security/cve/CVE-2017-5405.html https://www.suse.com/security/cve/CVE-2017-5407.html https://www.suse.com/security/cve/CVE-2017-5408.html https://www.suse.com/security/cve/CVE-2017-5410.html https://bugzilla.suse.com/1028391