Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0935-1 Final 1 1 2015-05-15T16:14:51Z current 2015-05-15T16:14:51Z 2015-05-15T16:14:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird The Mozilla Thunderbird email, news, and chat client was updated to version 31.7.0 to fix several security issues. The following vulnerabilities were fixed (bnc#930622): * MFSA 2015-46/CVE-2015-2708 Miscellaneous memory safety hazards * MFSA 2015-47/CVE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html E-Mail link for openSUSE-SU-2015:0935-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings MozillaThunderbird-31.7.0-70.53.1 MozillaThunderbird-buildsymbols-31.7.0-70.53.1 MozillaThunderbird-devel-31.7.0-70.53.1 MozillaThunderbird-translations-common-31.7.0-70.53.1 MozillaThunderbird-translations-other-31.7.0-70.53.1 The Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168, as used in Mozilla Firefox before 38.0 and other products, does not properly validate messages, which has unspecified impact and attack vectors. CVE-2011-3079 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2011-3079.html CVE-2011-3079 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/760264 SUSE Bug 760264 https://bugzilla.suse.com/930622 SUSE Bug 930622 https://bugzilla.suse.com/986639 SUSE Bug 986639 GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file. CVE-2015-0797 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2015-0797.html CVE-2015-0797 https://bugzilla.suse.com/927559 SUSE Bug 927559 https://bugzilla.suse.com/930622 SUSE Bug 930622 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-2708 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2015-2708.html CVE-2015-2708 https://bugzilla.suse.com/930622 SUSE Bug 930622 Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code via crafted SVG graphics data in conjunction with a crafted Cascading Style Sheets (CSS) token sequence. CVE-2015-2710 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2015-2710.html CVE-2015-2710 https://bugzilla.suse.com/930622 SUSE Bug 930622 Use-after-free vulnerability in the SetBreaks function in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a document containing crafted text in conjunction with a Cascading Style Sheets (CSS) token sequence containing properties related to vertical text. CVE-2015-2713 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2015-2713.html CVE-2015-2713 https://bugzilla.suse.com/930622 SUSE Bug 930622 Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. CVE-2015-2716 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-05/msg00037.html https://www.suse.com/security/cve/CVE-2015-2716.html CVE-2015-2716 https://bugzilla.suse.com/930622 SUSE Bug 930622 https://bugzilla.suse.com/939077 SUSE Bug 939077 https://bugzilla.suse.com/980391 SUSE Bug 980391 https://bugzilla.suse.com/983985 SUSE Bug 983985