Security update for Mozilla Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1579-1 Final 1 1 2017-06-16T09:03:31Z current 2017-06-16T09:03:31Z 2017-06-16T09:03:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Thunderbird This update to Thunderbird 52.2 fixes security issues and bugs. The following vulnerabilities were fixed: * CVE-2017-5472: Use-after-free using destroyed node when regenerating trees * CVE-2017-7749: Use-after-free during docshell reloading * CVE-2017-7750: Use-after-free with track elements * CVE-2017-7751: Use-after-free with content viewer listeners * CVE-2017-7752: Use-after-free with IME input * CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757: Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777: Vulnerabilities in the Graphite 2 library * CVE-2017-7758: Out-of-bounds read in Opus encoder * CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 Mozilla Thunderbird now requires NSS 3.28.5. The following bugs were fixed: * Embedded images not shown in email received from Hotmail/Outlook webmailer * Detection of non-ASCII font names in font selector * Attachment not forwarded correctly under certain circumstances * Multiple requests for master password when GMail OAuth2 is enabled * Large number of blank pages being printed under certain circumstances when invalid preferences were present * Messages sent via the Simple MAPI interface are forced to HTML * Calendar: Invitations can't be printed * Mailing list (group) not accessible from macOS or Outlook address book * Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-694 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1040105 SUSE Bug 1040105 https://bugzilla.suse.com/1042090 SUSE Bug 1042090 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1273265 SUSE Bug 1273265 https://bugzilla.suse.com/1355039 SUSE Bug 1355039 https://bugzilla.suse.com/1356558 SUSE Bug 1356558 https://bugzilla.suse.com/1356824 SUSE Bug 1356824 https://bugzilla.suse.com/1357090 SUSE Bug 1357090 https://bugzilla.suse.com/1359547 SUSE Bug 1359547 https://bugzilla.suse.com/1360309 SUSE Bug 1360309 https://bugzilla.suse.com/1363396 SUSE Bug 1363396 https://bugzilla.suse.com/1364283 SUSE Bug 1364283 https://bugzilla.suse.com/1365602 SUSE Bug 1365602 https://bugzilla.suse.com/1366595 SUSE Bug 1366595 https://bugzilla.suse.com/1368490 SUSE Bug 1368490 https://www.suse.com/security/cve/CVE-2017-5470/ SUSE CVE CVE-2017-5470 page https://www.suse.com/security/cve/CVE-2017-5472/ SUSE CVE CVE-2017-5472 page https://www.suse.com/security/cve/CVE-2017-7749/ SUSE CVE CVE-2017-7749 page https://www.suse.com/security/cve/CVE-2017-7750/ SUSE CVE CVE-2017-7750 page https://www.suse.com/security/cve/CVE-2017-7751/ SUSE CVE CVE-2017-7751 page https://www.suse.com/security/cve/CVE-2017-7752/ SUSE CVE CVE-2017-7752 page https://www.suse.com/security/cve/CVE-2017-7754/ SUSE CVE CVE-2017-7754 page https://www.suse.com/security/cve/CVE-2017-7756/ SUSE CVE CVE-2017-7756 page https://www.suse.com/security/cve/CVE-2017-7757/ SUSE CVE CVE-2017-7757 page https://www.suse.com/security/cve/CVE-2017-7758/ SUSE CVE CVE-2017-7758 page https://www.suse.com/security/cve/CVE-2017-7763/ SUSE CVE CVE-2017-7763 page https://www.suse.com/security/cve/CVE-2017-7764/ SUSE CVE CVE-2017-7764 page https://www.suse.com/security/cve/CVE-2017-7765/ SUSE CVE CVE-2017-7765 page https://www.suse.com/security/cve/CVE-2017-7771/ SUSE CVE CVE-2017-7771 page https://www.suse.com/security/cve/CVE-2017-7772/ SUSE CVE CVE-2017-7772 page https://www.suse.com/security/cve/CVE-2017-7773/ SUSE CVE CVE-2017-7773 page https://www.suse.com/security/cve/CVE-2017-7774/ SUSE CVE CVE-2017-7774 page https://www.suse.com/security/cve/CVE-2017-7775/ SUSE CVE CVE-2017-7775 page https://www.suse.com/security/cve/CVE-2017-7776/ SUSE CVE CVE-2017-7776 page https://www.suse.com/security/cve/CVE-2017-7777/ SUSE CVE CVE-2017-7777 page https://www.suse.com/security/cve/CVE-2017-7778/ SUSE CVE CVE-2017-7778 page SUSE Package Hub 12 MozillaThunderbird-52.2-36.1 MozillaThunderbird-buildsymbols-52.2-36.1 MozillaThunderbird-devel-52.2-36.1 MozillaThunderbird-translations-common-52.2-36.1 MozillaThunderbird-translations-other-52.2-36.1 MozillaThunderbird-52.2-36.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-52.2-36.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-52.2-36.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-52.2-36.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-52.2-36.1 as a component of SUSE Package Hub 12 Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-5470 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5470.html CVE-2017-5470 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-5472 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5472.html CVE-2017-5472 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7749 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7749.html CVE-2017-7749 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability during video control operations when a "<track>" element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7750 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7750.html CVE-2017-7750 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7751 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7751.html CVE-2017-7751 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7752 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7752.html CVE-2017-7752 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7754 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7754.html CVE-2017-7754 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR). This could result in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7756 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7756.html CVE-2017-7756 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7757 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7757.html CVE-2017-7757 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7758 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7758.html CVE-2017-7758 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7763 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7763.html CVE-2017-7763 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7764 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 4 AV:N/AC:H/Au:N/C:P/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7764.html CVE-2017-7764 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7765 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7765.html CVE-2017-7765 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Pass::readPass function. CVE-2017-7771 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7771.html CVE-2017-7771 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Heap-based Buffer Overflow in Graphite2 library in Firefox before 54 in lz4::decompress function. CVE-2017-7772 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7772.html CVE-2017-7772 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Heap-based Buffer Overflow write in Graphite2 library in Firefox before 54 in lz4::decompress src/Decompressor. CVE-2017-7773 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7773.html CVE-2017-7773 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Silf::readGraphite function. CVE-2017-7774 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7774.html CVE-2017-7774 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2017-7775 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7775.html CVE-2017-7775 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Heap-based Buffer Overflow read in Graphite2 library in Firefox before 54 in graphite2::Silf::getClassGlyph. CVE-2017-7776 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7776.html CVE-2017-7776 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Use of uninitialized memory in Graphite2 library in Firefox before 54 in graphite2::GlyphCache::Loader::read_glyph function. CVE-2017-7777 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7777.html CVE-2017-7777 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7778 SUSE Package Hub 12:MozillaThunderbird-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.2-36.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.2-36.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7778.html CVE-2017-7778 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242