Mailinglist Archive: opensuse-updates (121 mails)

< Previous Next >
openSUSE-SU-2017:0688-1: moderate: Security update for MozillaThunderbird
openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:0688-1
Rating: moderate
References: #1028391
Cross-References: CVE-2017-5398 CVE-2017-5400 CVE-2017-5401
CVE-2017-5402 CVE-2017-5404 CVE-2017-5405
CVE-2017-5407 CVE-2017-5408 CVE-2017-5410

Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update to Mozilla Thunderbird 45.8.0 fixes security issues and bugs.

The following security issues from advisory MFSA 2017-07 were fixed.
(boo#1028391) In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail, but are
potentially risks in browser or browser-like contexts:

- CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
- CVE-2017-5401: Memory Corruption when handling ErrorResult
- CVE-2017-5402: Use-after-free working with events in FontFace objects
(bmo#1334876)
- CVE-2017-5404: Use-after-free working with ranges in selections
- CVE-2017-5407: Pixel and history stealing via floating-point timing side
channel with SVG filters
- CVE-2017-5410: Memory corruption during JavaScript garbage collection
incremental sweeping
- CVE-2017-5408: Cross-origin reading of video captions in violation of
CORS
- CVE-2017-5405: FTP response codes can cause use of uninitialized values
for ports (bmo#1336699)
- CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8

The following non-security issues were fixed:

- crash when viewing certain IMAP messages


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2017-345=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 s390x x86_64):

MozillaThunderbird-45.8.0-27.1
MozillaThunderbird-debuginfo-45.8.0-27.1
MozillaThunderbird-debugsource-45.8.0-27.1
MozillaThunderbird-devel-45.8.0-27.1
MozillaThunderbird-translations-common-45.8.0-27.1
MozillaThunderbird-translations-other-45.8.0-27.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):

MozillaThunderbird-buildsymbols-45.8.0-27.1


References:

https://www.suse.com/security/cve/CVE-2017-5398.html
https://www.suse.com/security/cve/CVE-2017-5400.html
https://www.suse.com/security/cve/CVE-2017-5401.html
https://www.suse.com/security/cve/CVE-2017-5402.html
https://www.suse.com/security/cve/CVE-2017-5404.html
https://www.suse.com/security/cve/CVE-2017-5405.html
https://www.suse.com/security/cve/CVE-2017-5407.html
https://www.suse.com/security/cve/CVE-2017-5408.html
https://www.suse.com/security/cve/CVE-2017-5410.html
https://bugzilla.suse.com/1028391


< Previous Next >
This Thread
  • No further messages