Security update for Mozilla Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:2406-1 Final 1 1 2015-12-31T15:03:38Z current 2015-12-31T15:03:38Z 2015-12-31T15:03:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Thunderbird Mozilla Thunderbird was updated to 38.5.0 to fix multiple security issues. The following vulnerabilities were fixed: (boo#959277) * CVE-2015-7201: Miscellaneous memory safety hazards * CVE-2015-7210: Use-after-free in WebRTC when datachannel is used after being destroyed * CVE-2015-7212: Integer overflow allocating extremely large textures * CVE-2015-7205: Underflow through code inspection * CVE-2015-7213: Integer overflow in MP4 playback in 64-bit versions * CVE-2015-7222: Integer underflow and buffer overflow processing MP4 metadata in libstagefright * CVE-2015-7214: Cross-site reading attack through data and view-source URIs The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html E-Mail link for openSUSE-SU-2015:2406-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 MozillaThunderbird-38.5.0-7.2 MozillaThunderbird-buildsymbols-38.5.0-7.2 MozillaThunderbird-devel-38.5.0-7.2 MozillaThunderbird-translations-common-38.5.0-7.2 MozillaThunderbird-translations-other-38.5.0-7.2 MozillaThunderbird-38.5.0-7.2 as a component of openSUSE Leap 42.1 MozillaThunderbird-buildsymbols-38.5.0-7.2 as a component of openSUSE Leap 42.1 MozillaThunderbird-devel-38.5.0-7.2 as a component of openSUSE Leap 42.1 MozillaThunderbird-translations-common-38.5.0-7.2 as a component of openSUSE Leap 42.1 MozillaThunderbird-translations-other-38.5.0-7.2 as a component of openSUSE Leap 42.1 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-7201 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7201.html CVE-2015-7201 https://bugzilla.suse.com/959277 SUSE Bug 959277 Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 might allow remote attackers to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a crafted WebRTC RTP packet. CVE-2015-7205 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7205.html CVE-2015-7205 https://bugzilla.suse.com/959277 SUSE Bug 959277 Use-after-free vulnerability in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering attempted use of a data channel that has been closed by a WebRTC function. CVE-2015-7210 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7210.html CVE-2015-7210 https://bugzilla.suse.com/959277 SUSE Bug 959277 Integer overflow in the mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering a graphics operation that requires a large texture allocation. CVE-2015-7212 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7212.html CVE-2015-7212 https://bugzilla.suse.com/959277 SUSE Bug 959277 Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4Extractor.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 on 64-bit platforms allows remote attackers to execute arbitrary code via a crafted MP4 video file that triggers a buffer overflow. CVE-2015-7213 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7213.html CVE-2015-7213 https://bugzilla.suse.com/959277 SUSE Bug 959277 Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs. CVE-2015-7214 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7214.html CVE-2015-7214 https://bugzilla.suse.com/959277 SUSE Bug 959277 Integer underflow in the Metadata::setData function in MetaData.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect memory allocation and application crash) via an MP4 video file with crafted covr metadata that triggers a buffer overflow. CVE-2015-7222 openSUSE Leap 42.1:MozillaThunderbird-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-buildsymbols-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-devel-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-common-38.5.0-7.2 openSUSE Leap 42.1:MozillaThunderbird-translations-other-38.5.0-7.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-12/msg00049.html https://www.suse.com/security/cve/CVE-2015-7222.html CVE-2015-7222 https://bugzilla.suse.com/959277 SUSE Bug 959277