Security update for Mozilla Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3433-1 Final 1 1 2017-12-24T22:29:25Z current 2017-12-24T22:29:25Z 2017-12-24T22:29:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Thunderbird This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities: - CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin (bsc#1074043) - CVE-2017-7847: Local path string can be leaked from RSS feed (bsc#1074044) - CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045) - CVE-2017-7829: From address with encoded null character is cut off in message header display (bsc#1074046) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-1419 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC/#Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC E-Mail link for openSUSE-SU-2017:3433-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1074043 SUSE Bug 1074043 https://bugzilla.suse.com/1074044 SUSE Bug 1074044 https://bugzilla.suse.com/1074045 SUSE Bug 1074045 https://bugzilla.suse.com/1074046 SUSE Bug 1074046 https://www.suse.com/security/cve/CVE-2017-7829/ SUSE CVE CVE-2017-7829 page https://www.suse.com/security/cve/CVE-2017-7846/ SUSE CVE CVE-2017-7846 page https://www.suse.com/security/cve/CVE-2017-7847/ SUSE CVE CVE-2017-7847 page https://www.suse.com/security/cve/CVE-2017-7848/ SUSE CVE CVE-2017-7848 page SUSE Package Hub 12 MozillaThunderbird-52.5.2-51.1 MozillaThunderbird-buildsymbols-52.5.2-51.1 MozillaThunderbird-devel-52.5.2-51.1 MozillaThunderbird-translations-common-52.5.2-51.1 MozillaThunderbird-translations-other-52.5.2-51.1 MozillaThunderbird-52.5.2-51.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-52.5.2-51.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-52.5.2-51.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-52.5.2-51.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-52.5.2-51.1 as a component of SUSE Package Hub 12 It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7829 SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC/#Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC https://www.suse.com/security/cve/CVE-2017-7829.html CVE-2017-7829 https://bugzilla.suse.com/1071236 SUSE Bug 1071236 https://bugzilla.suse.com/1074046 SUSE Bug 1074046 It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7846 SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC/#Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC https://www.suse.com/security/cve/CVE-2017-7846.html CVE-2017-7846 https://bugzilla.suse.com/1074043 SUSE Bug 1074043 Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7847 SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC/#Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC https://www.suse.com/security/cve/CVE-2017-7847.html CVE-2017-7847 https://bugzilla.suse.com/1074044 SUSE Bug 1074044 RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7848 SUSE Package Hub 12:MozillaThunderbird-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.5.2-51.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.5.2-51.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC/#Y37ZBDTQYH6U74CLMVTFTTZQHZYSKJPC https://www.suse.com/security/cve/CVE-2017-7848.html CVE-2017-7848 https://bugzilla.suse.com/1074045 SUSE Bug 1074045