Security update for Mozilla Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1769-1 Final 1 1 2016-07-10T18:30:29Z current 2016-07-10T18:30:29Z 2016-07-10T18:30:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Thunderbird This update contains Mozilla Thunderbird 45.2. (boo#983549) It fixes security issues mostly affecting the e-mail program when used in a browser context, such as viewing a web page or HTMl formatted e-mail. The following vulnerabilities were fixed: - CVE-2016-2818, CVE-2016-2815: Memory safety bugs (boo#983549, MFSA2016-49) Contains the following security fixes from the 45.1 release: (boo#977333) - CVE-2016-2806, CVE-2016-2807: Miscellaneous memory safety hazards (boo#977375, boo#977376, MFSA 2016-39) Contains the following security fixes from the 45.0 release: (boo#969894) - CVE-2016-1952, CVE-2016-1953: Miscellaneous memory safety hazards (MFSA 2016-16) - CVE-2016-1954: Local file overwriting and potential privilege escalation through CSP reports (MFSA 2016-17) - CVE-2016-1955: CSP reports fail to strip location information for embedded iframe pages (MFSA 2016-18) - CVE-2016-1956: Linux video memory DOS with Intel drivers (MFSA 2016-19) - CVE-2016-1957: Memory leak in libstagefright when deleting an array during MP4 processing (MFSA 2016-20) - CVE-2016-1960: Use-after-free in HTML5 string parser (MFSA 2016-23) - CVE-2016-1961: Use-after-free in SetBody (MFSA 2016-24) - CVE-2016-1964: Use-after-free during XML transformations (MFSA 2016-27) - CVE-2016-1974: Out-of-bounds read in HTML parser following a failed allocation (MFSA 2016-34) The graphite font shaping library was disabled, addressing the following font vulnerabilities: - MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 The following tracked packaging changes are included: - fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) - gcc6 fixes (boo#986162) - running on 48bit va aarch64 (boo#984126) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2016-851 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 E-Mail link for openSUSE-SU-2016:1769-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/969894 SUSE Bug 969894 https://bugzilla.suse.com/977333 SUSE Bug 977333 https://bugzilla.suse.com/977375 SUSE Bug 977375 https://bugzilla.suse.com/977376 SUSE Bug 977376 https://bugzilla.suse.com/983549 SUSE Bug 983549 https://bugzilla.suse.com/984126 SUSE Bug 984126 https://bugzilla.suse.com/984637 SUSE Bug 984637 https://bugzilla.suse.com/986162 SUSE Bug 986162 https://www.suse.com/security/cve/CVE-2016-1952/ SUSE CVE CVE-2016-1952 page https://www.suse.com/security/cve/CVE-2016-1953/ SUSE CVE CVE-2016-1953 page https://www.suse.com/security/cve/CVE-2016-1954/ SUSE CVE CVE-2016-1954 page https://www.suse.com/security/cve/CVE-2016-1955/ SUSE CVE CVE-2016-1955 page https://www.suse.com/security/cve/CVE-2016-1956/ SUSE CVE CVE-2016-1956 page https://www.suse.com/security/cve/CVE-2016-1957/ SUSE CVE CVE-2016-1957 page https://www.suse.com/security/cve/CVE-2016-1960/ SUSE CVE CVE-2016-1960 page https://www.suse.com/security/cve/CVE-2016-1961/ SUSE CVE CVE-2016-1961 page https://www.suse.com/security/cve/CVE-2016-1964/ SUSE CVE CVE-2016-1964 page https://www.suse.com/security/cve/CVE-2016-1974/ SUSE CVE CVE-2016-1974 page https://www.suse.com/security/cve/CVE-2016-1977/ SUSE CVE CVE-2016-1977 page https://www.suse.com/security/cve/CVE-2016-2790/ SUSE CVE CVE-2016-2790 page https://www.suse.com/security/cve/CVE-2016-2791/ SUSE CVE CVE-2016-2791 page https://www.suse.com/security/cve/CVE-2016-2792/ SUSE CVE CVE-2016-2792 page https://www.suse.com/security/cve/CVE-2016-2793/ SUSE CVE CVE-2016-2793 page https://www.suse.com/security/cve/CVE-2016-2794/ SUSE CVE CVE-2016-2794 page https://www.suse.com/security/cve/CVE-2016-2795/ SUSE CVE CVE-2016-2795 page https://www.suse.com/security/cve/CVE-2016-2796/ SUSE CVE CVE-2016-2796 page https://www.suse.com/security/cve/CVE-2016-2797/ SUSE CVE CVE-2016-2797 page https://www.suse.com/security/cve/CVE-2016-2798/ SUSE CVE CVE-2016-2798 page https://www.suse.com/security/cve/CVE-2016-2799/ SUSE CVE CVE-2016-2799 page https://www.suse.com/security/cve/CVE-2016-2800/ SUSE CVE CVE-2016-2800 page https://www.suse.com/security/cve/CVE-2016-2801/ SUSE CVE CVE-2016-2801 page https://www.suse.com/security/cve/CVE-2016-2802/ SUSE CVE CVE-2016-2802 page https://www.suse.com/security/cve/CVE-2016-2806/ SUSE CVE CVE-2016-2806 page https://www.suse.com/security/cve/CVE-2016-2807/ SUSE CVE CVE-2016-2807 page https://www.suse.com/security/cve/CVE-2016-2815/ SUSE CVE CVE-2016-2815 page https://www.suse.com/security/cve/CVE-2016-2818/ SUSE CVE CVE-2016-2818 page SUSE Package Hub 12 MozillaThunderbird-45.2-6.1 MozillaThunderbird-buildsymbols-45.2-6.1 MozillaThunderbird-devel-45.2-6.1 MozillaThunderbird-translations-common-45.2-6.1 MozillaThunderbird-translations-other-45.2-6.1 MozillaThunderbird-45.2-6.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-45.2-6.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-45.2-6.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-45.2-6.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-45.2-6.1 as a component of SUSE Package Hub 12 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-1952 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1952.html CVE-2016-1952 https://bugzilla.suse.com/969894 SUSE Bug 969894 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to js/src/jit/arm/Assembler-arm.cpp, and unknown other vectors. CVE-2016-1953 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1953.html CVE-2016-1953 https://bugzilla.suse.com/969894 SUSE Bug 969894 The nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report, which allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file. CVE-2016-1954 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1954.html CVE-2016-1954 https://bugzilla.suse.com/969894 SUSE Bug 969894 Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element. CVE-2016-1955 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1955.html CVE-2016-1955 https://bugzilla.suse.com/969894 SUSE Bug 969894 https://bugzilla.suse.com/970257 SUSE Bug 970257 https://bugzilla.suse.com/970377 SUSE Bug 970377 https://bugzilla.suse.com/970378 SUSE Bug 970378 https://bugzilla.suse.com/970379 SUSE Bug 970379 https://bugzilla.suse.com/970380 SUSE Bug 970380 https://bugzilla.suse.com/970381 SUSE Bug 970381 https://bugzilla.suse.com/970431 SUSE Bug 970431 https://bugzilla.suse.com/970433 SUSE Bug 970433 Mozilla Firefox before 45.0 on Linux, when an Intel video driver is used, allows remote attackers to cause a denial of service (memory consumption or stack memory corruption) by triggering use of a WebGL shader. CVE-2016-1956 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1956.html CVE-2016-1956 https://bugzilla.suse.com/969894 SUSE Bug 969894 https://bugzilla.suse.com/970257 SUSE Bug 970257 https://bugzilla.suse.com/970377 SUSE Bug 970377 https://bugzilla.suse.com/970378 SUSE Bug 970378 https://bugzilla.suse.com/970379 SUSE Bug 970379 https://bugzilla.suse.com/970380 SUSE Bug 970380 https://bugzilla.suse.com/970381 SUSE Bug 970381 https://bugzilla.suse.com/970431 SUSE Bug 970431 https://bugzilla.suse.com/970433 SUSE Bug 970433 Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array. CVE-2016-1957 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1957.html CVE-2016-1957 https://bugzilla.suse.com/969894 SUSE Bug 969894 Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545. CVE-2016-1960 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1960.html CVE-2016-1960 https://bugzilla.suse.com/969894 SUSE Bug 969894 Use-after-free vulnerability in the nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of a root element, aka ZDI-CAN-3574. CVE-2016-1961 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1961.html CVE-2016-1961 https://bugzilla.suse.com/969894 SUSE Bug 969894 Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging mishandling of XML transformations. CVE-2016-1964 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1964.html CVE-2016-1964 https://bugzilla.suse.com/969894 SUSE Bug 969894 The nsScannerString::AppendUnicodeTo function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not verify that memory allocation succeeds, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via crafted Unicode data in an HTML, XML, or SVG document. CVE-2016-1974 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1974.html CVE-2016-1974 https://bugzilla.suse.com/969894 SUSE Bug 969894 The Machine::Code::decoder::analysis::set_ref function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted Graphite smart font. CVE-2016-1977 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-1977.html CVE-2016-1977 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. CVE-2016-2790 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2790.html CVE-2016-2790 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2791 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2791.html CVE-2016-2791 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800. CVE-2016-2792 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2792.html CVE-2016-2792 https://bugzilla.suse.com/969894 SUSE Bug 969894 CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2793 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2793.html CVE-2016-2793 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2794 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2794.html CVE-2016-2794 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::FileFace::get_table_fn function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. CVE-2016-2795 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2795.html CVE-2016-2795 https://bugzilla.suse.com/969894 SUSE Bug 969894 Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2796 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2796.html CVE-2016-2796 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2801. CVE-2016-2797 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2797.html CVE-2016-2797 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::GlyphCache::Loader::Loader function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2798 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2798.html CVE-2016-2798 https://bugzilla.suse.com/969894 SUSE Bug 969894 Heap-based buffer overflow in the graphite2::Slot::setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2799 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2799.html CVE-2016-2799 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2792. CVE-2016-2800 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2800.html CVE-2016-2800 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2797. CVE-2016-2801 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2801.html CVE-2016-2801 https://bugzilla.suse.com/969894 SUSE Bug 969894 The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2802 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2802.html CVE-2016-2802 https://bugzilla.suse.com/969894 SUSE Bug 969894 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0 and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-2806 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2806.html CVE-2016-2806 https://bugzilla.suse.com/977375 SUSE Bug 977375 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-2807 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2807.html CVE-2016-2807 https://bugzilla.suse.com/977333 SUSE Bug 977333 https://bugzilla.suse.com/977376 SUSE Bug 977376 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-2815 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2815.html CVE-2016-2815 https://bugzilla.suse.com/983549 SUSE Bug 983549 https://bugzilla.suse.com/983638 SUSE Bug 983638 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-2818 SUSE Package Hub 12:MozillaThunderbird-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.2-6.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.2-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5/#IT5Z2MQVCUU2PY7AOHLQUFDN44PCYHX5 https://www.suse.com/security/cve/CVE-2016-2818.html CVE-2016-2818 https://bugzilla.suse.com/983549 SUSE Bug 983549 https://bugzilla.suse.com/983638 SUSE Bug 983638