openSUSE Security Update: Security update for Mozilla Thunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1579-1 Rating: moderate References: #1040105 #1042090 #1043960 Cross-References: CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7763 CVE-2017-7764 CVE-2017-7765 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes 21 vulnerabilities is now available. Description: This update to Thunderbird 52.2 fixes security issues and bugs. The following vulnerabilities were fixed: * CVE-2017-5472: Use-after-free using destroyed node when regenerating trees * CVE-2017-7749: Use-after-free during docshell reloading * CVE-2017-7750: Use-after-free with track elements * CVE-2017-7751: Use-after-free with content viewer listeners * CVE-2017-7752: Use-after-free with IME input * CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757: Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777: Vulnerabilities in the Graphite 2 library * CVE-2017-7758: Out-of-bounds read in Opus encoder * CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 Mozilla Thunderbird now requires NSS 3.28.5. The following bugs were fixed: * Embedded images not shown in email received from Hotmail/Outlook webmailer * Detection of non-ASCII font names in font selector * Attachment not forwarded correctly under certain circumstances * Multiple requests for master password when GMail OAuth2 is enabled * Large number of blank pages being printed under certain circumstances when invalid preferences were present * Messages sent via the Simple MAPI interface are forced to HTML * Calendar: Invitations can't be printed * Mailing list (group) not accessible from macOS or Outlook address book * Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2017-694=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): MozillaThunderbird-52.2-36.1 MozillaThunderbird-buildsymbols-52.2-36.1 MozillaThunderbird-devel-52.2-36.1 MozillaThunderbird-translations-common-52.2-36.1 MozillaThunderbird-translations-other-52.2-36.1 References: https://www.suse.com/security/cve/CVE-2017-5470.html https://www.suse.com/security/cve/CVE-2017-5472.html https://www.suse.com/security/cve/CVE-2017-7749.html https://www.suse.com/security/cve/CVE-2017-7750.html https://www.suse.com/security/cve/CVE-2017-7751.html https://www.suse.com/security/cve/CVE-2017-7752.html https://www.suse.com/security/cve/CVE-2017-7754.html https://www.suse.com/security/cve/CVE-2017-7756.html https://www.suse.com/security/cve/CVE-2017-7757.html https://www.suse.com/security/cve/CVE-2017-7758.html https://www.suse.com/security/cve/CVE-2017-7763.html https://www.suse.com/security/cve/CVE-2017-7764.html https://www.suse.com/security/cve/CVE-2017-7765.html https://www.suse.com/security/cve/CVE-2017-7771.html https://www.suse.com/security/cve/CVE-2017-7772.html https://www.suse.com/security/cve/CVE-2017-7773.html https://www.suse.com/security/cve/CVE-2017-7774.html https://www.suse.com/security/cve/CVE-2017-7775.html https://www.suse.com/security/cve/CVE-2017-7776.html https://www.suse.com/security/cve/CVE-2017-7777.html https://www.suse.com/security/cve/CVE-2017-7778.html https://bugzilla.suse.com/1040105 https://bugzilla.suse.com/1042090 https://bugzilla.suse.com/1043960