Security update for Mozilla Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3108-1 Final 1 1 2017-11-27T18:50:59Z current 2017-11-27T18:50:59Z 2017-11-27T18:50:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Thunderbird This update for Mozilla Thunderbird fixes the following issues: Security issues fixed in 52.5.0 ESR as advised in MFSA 2017-26 (boo#1068101): - CVE-2017-7828: Use-after-free of PressShell while restyling layout - CVE-2017-7830: Cross-origin URL information leak through Resource Timing API - CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 The following bug fixes and improvements are included: - Better support for Charter/Spectrum IMAP - No longer mark other messages as read in search folders spanning multiple base folders - IMAP alerts have been corrected and now show the correct server name in case of connection problems - POP alerts have been corrected and now indicate connection problems in case the configured POP server cannot be found The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-1311 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1068101 SUSE Bug 1068101 https://www.suse.com/security/cve/CVE-2017-7826/ SUSE CVE CVE-2017-7826 page https://www.suse.com/security/cve/CVE-2017-7828/ SUSE CVE CVE-2017-7828 page https://www.suse.com/security/cve/CVE-2017-7830/ SUSE CVE CVE-2017-7830 page SUSE Package Hub 12 MozillaThunderbird-52.5.0-48.1 MozillaThunderbird-buildsymbols-52.5.0-48.1 MozillaThunderbird-devel-52.5.0-48.1 MozillaThunderbird-translations-common-52.5.0-48.1 MozillaThunderbird-translations-other-52.5.0-48.1 MozillaThunderbird-52.5.0-48.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-52.5.0-48.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-52.5.0-48.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-52.5.0-48.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-52.5.0-48.1 as a component of SUSE Package Hub 12 Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7826 SUSE Package Hub 12:MozillaThunderbird-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.0-48.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7826.html CVE-2017-7826 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7828 SUSE Package Hub 12:MozillaThunderbird-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.0-48.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7828.html CVE-2017-7828 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7830 SUSE Package Hub 12:MozillaThunderbird-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.0-48.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.0-48.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7830.html CVE-2017-7830 https://bugzilla.suse.com/1068101 SUSE Bug 1068101