openSUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:2209-1
Rating:             important
References:         #1052829 
Cross-References:   CVE-2017-7753 CVE-2017-7779 CVE-2017-7782
                    CVE-2017-7784 CVE-2017-7785 CVE-2017-7786
                    CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
                    CVE-2017-7798 CVE-2017-7800 CVE-2017-7801
                    CVE-2017-7802 CVE-2017-7803 CVE-2017-7804
                    CVE-2017-7807
Affected Products:
                    openSUSE Leap 42.3
                    openSUSE Leap 42.2
______________________________________________________________________________

   An update that fixes 16 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird to version 52.3 fixes security issues
   and bugs.

   The following vulnerabilities were fixed:

   - CVE-2017-7798: XUL injection in the style editor in devtools
   - CVE-2017-7800: Use-after-free in WebSockets during disconnection
   - CVE-2017-7801: Use-after-free with marquee during window resizing
   - CVE-2017-7784: Use-after-free with image observers   - CVE-2017-7802: Use-after-free resizing image elements
   - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
   - CVE-2017-7786: Buffer overflow while painting non-displayable SVG
   - CVE-2017-7753: Out-of-bounds read with cached style data and
     pseudo-elements#
   - CVE-2017-7787: Same-origin policy bypass with iframes through page
     reloads
   - CVE-2017-7807: Domain hijacking through AppCache fallback
   - CVE-2017-7792: Buffer overflow viewing certificates with an extremely
     long OID
   - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
   - CVE-2017-7791: Spoofing following page navigation with data: protocol
     and modal alerts
   - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP
     protections
   - CVE-2017-7803: CSP containing 'sandbox' improperly applied
   - CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR
     52.3

   The following bugs were fixed:

   - Unwanted inline images shown in rogue SPAM messages
   - Deleting message from the POP3 server not working when maildir storage
     was used
   - Message disposition flag (replied / forwarded) lost when reply or
     forwarded message was stored as draft and draft was sent later
   - Inline images not scaled to fit when printing
   - Selected text from another message sometimes included in a reply
   - No authorisation prompt displayed when inserting image into email body
     although image URL requires authentication
   - Large attachments taking a long time to open under some circumstances


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2017-955=1

   - openSUSE Leap 42.2:

      zypper in -t patch openSUSE-2017-955=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE Leap 42.3 (i586 x86_64):

      MozillaThunderbird-52.3.0-44.1
      MozillaThunderbird-buildsymbols-52.3.0-44.1
      MozillaThunderbird-debuginfo-52.3.0-44.1
      MozillaThunderbird-debugsource-52.3.0-44.1
      MozillaThunderbird-devel-52.3.0-44.1
      MozillaThunderbird-translations-common-52.3.0-44.1
      MozillaThunderbird-translations-other-52.3.0-44.1

   - openSUSE Leap 42.2 (i586 x86_64):

      MozillaThunderbird-52.3.0-41.15.1
      MozillaThunderbird-buildsymbols-52.3.0-41.15.1
      MozillaThunderbird-debuginfo-52.3.0-41.15.1
      MozillaThunderbird-debugsource-52.3.0-41.15.1
      MozillaThunderbird-devel-52.3.0-41.15.1
      MozillaThunderbird-translations-common-52.3.0-41.15.1
      MozillaThunderbird-translations-other-52.3.0-41.15.1


References:

   https://www.suse.com/security/cve/CVE-2017-7753.html
   https://www.suse.com/security/cve/CVE-2017-7779.html
   https://www.suse.com/security/cve/CVE-2017-7782.html
   https://www.suse.com/security/cve/CVE-2017-7784.html
   https://www.suse.com/security/cve/CVE-2017-7785.html
   https://www.suse.com/security/cve/CVE-2017-7786.html
   https://www.suse.com/security/cve/CVE-2017-7787.html
   https://www.suse.com/security/cve/CVE-2017-7791.html
   https://www.suse.com/security/cve/CVE-2017-7792.html
   https://www.suse.com/security/cve/CVE-2017-7798.html
   https://www.suse.com/security/cve/CVE-2017-7800.html
   https://www.suse.com/security/cve/CVE-2017-7801.html
   https://www.suse.com/security/cve/CVE-2017-7802.html
   https://www.suse.com/security/cve/CVE-2017-7803.html
   https://www.suse.com/security/cve/CVE-2017-7804.html
   https://www.suse.com/security/cve/CVE-2017-7807.html
   https://bugzilla.suse.com/1052829

openSUSE: 2017:2209-1: important: MozillaThunderbird

August 18, 2017
An update that fixes 16 vulnerabilities is now available

Description

This update for MozillaThunderbird to version 52.3 fixes security issues and bugs. The following vulnerabilities were fixed: - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection - CVE-2017-7801: Use-after-free with marquee during window resizing - CVE-2017-7784: Use-after-free with image observers - CVE-2017-7802: Use-after-free resizing image elements - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - CVE-2017-7786: Buffer overflow while painting non-displayable SVG - CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements# - CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - CVE-2017-7807: Domain hijacking through AppCache fallback - CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - CVE-2017-7803: CSP containing 'sandbox' improperly applied - CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 The following bugs were fixed: - Unwanted inline images shown in rogue SPAM messages - Deleting message from the POP3 server not working when maildir storage was used - Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later - Inline images not scaled to fit when printing - Selected text from another message sometimes included in a reply - No authorisation prompt displayed when inserting image into email body although image URL requires authentication - Large attachments taking a long time to open under some circumstances

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2017-955=1 - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-955=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE Leap 42.3 (i586 x86_64): MozillaThunderbird-52.3.0-44.1 MozillaThunderbird-buildsymbols-52.3.0-44.1 MozillaThunderbird-debuginfo-52.3.0-44.1 MozillaThunderbird-debugsource-52.3.0-44.1 MozillaThunderbird-devel-52.3.0-44.1 MozillaThunderbird-translations-common-52.3.0-44.1 MozillaThunderbird-translations-other-52.3.0-44.1 - openSUSE Leap 42.2 (i586 x86_64): MozillaThunderbird-52.3.0-41.15.1 MozillaThunderbird-buildsymbols-52.3.0-41.15.1 MozillaThunderbird-debuginfo-52.3.0-41.15.1 MozillaThunderbird-debugsource-52.3.0-41.15.1 MozillaThunderbird-devel-52.3.0-41.15.1 MozillaThunderbird-translations-common-52.3.0-41.15.1 MozillaThunderbird-translations-other-52.3.0-41.15.1


References

https://www.suse.com/security/cve/CVE-2017-7753.html https://www.suse.com/security/cve/CVE-2017-7779.html https://www.suse.com/security/cve/CVE-2017-7782.html https://www.suse.com/security/cve/CVE-2017-7784.html https://www.suse.com/security/cve/CVE-2017-7785.html https://www.suse.com/security/cve/CVE-2017-7786.html https://www.suse.com/security/cve/CVE-2017-7787.html https://www.suse.com/security/cve/CVE-2017-7791.html https://www.suse.com/security/cve/CVE-2017-7792.html https://www.suse.com/security/cve/CVE-2017-7798.html https://www.suse.com/security/cve/CVE-2017-7800.html https://www.suse.com/security/cve/CVE-2017-7801.html https://www.suse.com/security/cve/CVE-2017-7802.html https://www.suse.com/security/cve/CVE-2017-7803.html https://www.suse.com/security/cve/CVE-2017-7804.html https://www.suse.com/security/cve/CVE-2017-7807.html https://bugzilla.suse.com/1052829


Severity
Announcement ID: openSUSE-SU-2017:2209-1
Rating: important
Affected Products: openSUSE Leap 42.3 openSUSE Leap 42.2 .

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved