Nacionalni CERT

Sigurnosni nedostaci programskog paketa MozillaThunderbird

<p>openSUSE Security Update: Security update for MozillaThunderbird<br />______________________________________________________________________________<br /><br />Announcement ID: openSUSE-SU-2017:2707-1<br />Rating: important<br />References: #1060445 <br />Cross-References: CVE-2017-7793 CVE-2017-7805 CVE-2017-7810<br /> CVE-2017-7814 CVE-2017-7818 CVE-2017-7819<br /> CVE-2017-7823 CVE-2017-7824 CVE-2017-7825<br /> <br />Affected Products:<br /> SUSE Package Hub for SUSE Linux Enterprise 12<br />______________________________________________________________________________<br /><br /> An update that fixes 9 vulnerabilities is now available.<br /><br />Description:<br /><br /><br /><br /> Mozilla Thunderbird was updated to 52.4.0 (boo#1060445)<br /> * new behavior was introduced for replies to mailing list posts: "When<br /> replying to a mailing list, reply will be sent to address in From<br /> header ignoring Reply-to header". A new preference<br /> mail.override_list_reply_to allows to restore the previous behavior.<br /> * Under certain circumstances (image attachment and non-image<br /> attachment), attached images were shown truncated in messages stored<br /> in IMAP folders not synchronised for offline use.<br /> * IMAP UIDs &gt; 0x7FFFFFFF now handled properly Security fixes from Gecko<br /> 52.4esr<br /> * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API<br /> * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array<br /> manipulation<br /> * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in<br /> design mode<br /> * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and<br /> validating elements with ANGLE<br /> * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free<br /> in TLS 1.2 generating handshake hashes<br /> * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and<br /> malware protection warnings<br /> * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render<br /> some Tibetan and Arabic unicode characters as spaces<br /> * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a<br /> unique origin<br /> * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR<br /> 52.4<br /><br /> - Add alsa-devel BuildRequires: we care for ALSA support to be built and<br /> thus need to ensure we get the dependencies in place. In the past,<br /> alsa-devel was pulled in by accident: we buildrequire libgnome-devel.<br /> This required esound-devel and that in turn pulled in alsa-devel for us.<br /> libgnome is being fixed to no longer require esound-devel.<br /><br /><br />Patch Instructions:<br /><br /> To install this openSUSE Security Update use YaST online_update.<br /> Alternatively you can run the command listed for your product:<br /><br /> - SUSE Package Hub for SUSE Linux Enterprise 12:<br /><br /> zypper in -t patch openSUSE-2017-1144=1<br /><br /> To bring your system up-to-date, use "zypper patch".<br /><br /><br />Package List:<br /><br /> - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64):<br /><br /> MozillaThunderbird-52.4.0-45.1<br /> MozillaThunderbird-buildsymbols-52.4.0-45.1<br /> MozillaThunderbird-debuginfo-52.4.0-45.1<br /> MozillaThunderbird-debugsource-52.4.0-45.1<br /> MozillaThunderbird-devel-52.4.0-45.1<br /> MozillaThunderbird-translations-common-52.4.0-45.1<br /> MozillaThunderbird-translations-other-52.4.0-45.1<br /><br /><br />References:<br /><br /> https://www.suse.com/security/cve/CVE-2017-7793.html<br /> https://www.suse.com/security/cve/CVE-2017-7805.html<br /> https://www.suse.com/security/cve/CVE-2017-7810.html<br /> https://www.suse.com/security/cve/CVE-2017-7814.html<br /> https://www.suse.com/security/cve/CVE-2017-7818.html<br /> https://www.suse.com/security/cve/CVE-2017-7819.html<br /> https://www.suse.com/security/cve/CVE-2017-7823.html<br /> https://www.suse.com/security/cve/CVE-2017-7824.html<br /> https://www.suse.com/security/cve/CVE-2017-7825.html<br /> https://bugzilla.suse.com/1060445<br /><br />-- <br />To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org<br />For additional commands, e-mail: opensuse-security-announce+help@opensuse.org<br /><br /><br /><br /> openSUSE Security Update: Security update for MozillaThunderbird<br />______________________________________________________________________________<br /><br />Announcement ID: openSUSE-SU-2017:2710-1<br />Rating: important<br />References: #1060445 <br />Cross-References: CVE-2017-7793 CVE-2017-7805 CVE-2017-7810<br /> CVE-2017-7814 CVE-2017-7818 CVE-2017-7819<br /> CVE-2017-7823 CVE-2017-7824 CVE-2017-7825<br /> <br />Affected Products:<br /> openSUSE Leap 42.3<br /> openSUSE Leap 42.2<br />______________________________________________________________________________<br /><br /> An update that fixes 9 vulnerabilities is now available.<br /><br />Description:<br /><br /><br /><br /> Mozilla Thunderbird was updated to 52.4.0 (boo#1060445)<br /> * new behavior was introduced for replies to mailing list posts: "When<br /> replying to a mailing list, reply will be sent to address in From<br /> header ignoring Reply-to header". A new preference<br /> mail.override_list_reply_to allows to restore the previous behavior.<br /> * Under certain circumstances (image attachment and non-image<br /> attachment), attached images were shown truncated in messages stored<br /> in IMAP folders not synchronised for offline use.<br /> * IMAP UIDs &gt; 0x7FFFFFFF now handled properly Security fixes from Gecko<br /> 52.4esr<br /> * CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch API<br /> * CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA array<br /> manipulation<br /> * CVE-2017-7819 (bmo#1380292) Use-after-free while resizing images in<br /> design mode<br /> * CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing and<br /> validating elements with ANGLE<br /> * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) Use-after-free<br /> in TLS 1.2 generating handshake hashes<br /> * CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass phishing and<br /> malware protection warnings<br /> * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X fonts render<br /> some Tibetan and Arabic unicode characters as spaces<br /> * CVE-2017-7823 (bmo#1396320) CSP sandbox directive did not create a<br /> unique origin<br /> * CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and Firefox ESR<br /> 52.4<br /><br /> - Add alsa-devel BuildRequires: we care for ALSA support to be built and<br /> thus need to ensure we get the dependencies in place. In the past,<br /> alsa-devel was pulled in by accident: we buildrequire libgnome-devel.<br /> This required esound-devel and that in turn pulled in alsa-devel for us.<br /> libgnome is being fixed to no longer require esound-devel.<br /><br /><br />Patch Instructions:<br /><br /> To install this openSUSE Security Update use YaST online_update.<br /> Alternatively you can run the command listed for your product:<br /><br /> - openSUSE Leap 42.3:<br /><br /> zypper in -t patch openSUSE-2017-1144=1<br /><br /> - openSUSE Leap 42.2:<br /><br /> zypper in -t patch openSUSE-2017-1144=1<br /><br /> To bring your system up-to-date, use "zypper patch".<br /><br /><br />Package List:<br /><br /> - openSUSE Leap 42.3 (i586 x86_64):<br /><br /> MozillaThunderbird-52.4.0-47.1<br /> MozillaThunderbird-buildsymbols-52.4.0-47.1<br /> MozillaThunderbird-debuginfo-52.4.0-47.1<br /> MozillaThunderbird-debugsource-52.4.0-47.1<br /> MozillaThunderbird-devel-52.4.0-47.1<br /> MozillaThunderbird-translations-common-52.4.0-47.1<br /> MozillaThunderbird-translations-other-52.4.0-47.1<br /><br /> - openSUSE Leap 42.2 (i586 x86_64):<br /><br /> MozillaThunderbird-52.4.0-41.18.1<br /> MozillaThunderbird-buildsymbols-52.4.0-41.18.1<br /> MozillaThunderbird-debuginfo-52.4.0-41.18.1<br /> MozillaThunderbird-debugsource-52.4.0-41.18.1<br /> MozillaThunderbird-devel-52.4.0-41.18.1<br /> MozillaThunderbird-translations-common-52.4.0-41.18.1<br /> MozillaThunderbird-translations-other-52.4.0-41.18.1<br /><br /><br />References:<br /><br /> https://www.suse.com/security/cve/CVE-2017-7793.html<br /> https://www.suse.com/security/cve/CVE-2017-7805.html<br /> https://www.suse.com/security/cve/CVE-2017-7810.html<br /> https://www.suse.com/security/cve/CVE-2017-7814.html<br /> https://www.suse.com/security/cve/CVE-2017-7818.html<br /> https://www.suse.com/security/cve/CVE-2017-7819.html<br /> https://www.suse.com/security/cve/CVE-2017-7823.html<br /> https://www.suse.com/security/cve/CVE-2017-7824.html<br /> https://www.suse.com/security/cve/CVE-2017-7825.html<br /> https://bugzilla.suse.com/1060445<br /><br />-- <br />To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org<br />For additional commands, e-mail: opensuse-security-announce+help@opensuse.org</p>
Otkriven je sigurnosni nedostatak u programskom paketu MozillaThunderbird za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja, zaobilaženje sigurnosnih ograničenja, prikazivanje nesigurnih web odredišta sigurnima, izvođenje phishing napada ili izvršavanje proizvoljnog programskog koda. Savjetuje se ažuriranje izdanim zakrpama.