Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2209-1 Final 1 1 2017-08-18T09:46:47Z current 2017-08-18T09:46:47Z 2017-08-18T09:46:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird to version 52.3 fixes security issues and bugs. The following vulnerabilities were fixed: - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection - CVE-2017-7801: Use-after-free with marquee during window resizing - CVE-2017-7784: Use-after-free with image observers - CVE-2017-7802: Use-after-free resizing image elements - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - CVE-2017-7786: Buffer overflow while painting non-displayable SVG - CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements# - CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - CVE-2017-7807: Domain hijacking through AppCache fallback - CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - CVE-2017-7803: CSP containing 'sandbox' improperly applied - CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 The following bugs were fixed: - Unwanted inline images shown in rogue SPAM messages - Deleting message from the POP3 server not working when maildir storage was used - Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later - Inline images not scaled to fit when printing - Selected text from another message sometimes included in a reply - No authorisation prompt displayed when inserting image into email body although image URL requires authentication - Large attachments taking a long time to open under some circumstances The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-955 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 E-Mail link for openSUSE-SU-2017:2209-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1052829 SUSE Bug 1052829 https://www.suse.com/security/cve/CVE-2017-7753/ SUSE CVE CVE-2017-7753 page https://www.suse.com/security/cve/CVE-2017-7779/ SUSE CVE CVE-2017-7779 page https://www.suse.com/security/cve/CVE-2017-7782/ SUSE CVE CVE-2017-7782 page https://www.suse.com/security/cve/CVE-2017-7784/ SUSE CVE CVE-2017-7784 page https://www.suse.com/security/cve/CVE-2017-7785/ SUSE CVE CVE-2017-7785 page https://www.suse.com/security/cve/CVE-2017-7786/ SUSE CVE CVE-2017-7786 page https://www.suse.com/security/cve/CVE-2017-7787/ SUSE CVE CVE-2017-7787 page https://www.suse.com/security/cve/CVE-2017-7791/ SUSE CVE CVE-2017-7791 page https://www.suse.com/security/cve/CVE-2017-7792/ SUSE CVE CVE-2017-7792 page https://www.suse.com/security/cve/CVE-2017-7798/ SUSE CVE CVE-2017-7798 page https://www.suse.com/security/cve/CVE-2017-7800/ SUSE CVE CVE-2017-7800 page https://www.suse.com/security/cve/CVE-2017-7801/ SUSE CVE CVE-2017-7801 page https://www.suse.com/security/cve/CVE-2017-7802/ SUSE CVE CVE-2017-7802 page https://www.suse.com/security/cve/CVE-2017-7803/ SUSE CVE CVE-2017-7803 page https://www.suse.com/security/cve/CVE-2017-7804/ SUSE CVE CVE-2017-7804 page https://www.suse.com/security/cve/CVE-2017-7807/ SUSE CVE CVE-2017-7807 page SUSE Package Hub 12 MozillaThunderbird-52.3.0-42.1 MozillaThunderbird-buildsymbols-52.3.0-42.1 MozillaThunderbird-devel-52.3.0-42.1 MozillaThunderbird-translations-common-52.3.0-42.1 MozillaThunderbird-translations-other-52.3.0-42.1 MozillaThunderbird-52.3.0-42.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-52.3.0-42.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-52.3.0-42.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-52.3.0-42.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-52.3.0-42.1 as a component of SUSE Package Hub 12 An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7753 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.8 AV:N/AC:M/Au:N/C:P/I:N/A:C 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7753.html CVE-2017-7753 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 Memory safety bugs were reported in Firefox 54, Firefox ESR 52.2, and Thunderbird 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7779 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7779.html CVE-2017-7779 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7782 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7782.html CVE-2017-7782 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7784 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7784.html CVE-2017-7784 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7785 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7785.html CVE-2017-7785 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7786 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7786.html CVE-2017-7786 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7787 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7787.html CVE-2017-7787 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7791 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7791.html CVE-2017-7791 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7792 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7792.html CVE-2017-7792 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR < 52.3 and Firefox < 55. CVE-2017-7798 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7798.html CVE-2017-7798 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7800 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7800.html CVE-2017-7800 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur while re-computing layout for a "marquee" element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7801 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7801.html CVE-2017-7801 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7802 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7802.html CVE-2017-7802 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7803 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7803.html CVE-2017-7803 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7804 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7804.html CVE-2017-7804 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7807 SUSE Package Hub 12:MozillaThunderbird-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-devel-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-52.3.0-42.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-52.3.0-42.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5/#IJOETQICPAUKQMIRZDYIIRKRSWKSIMF5 https://www.suse.com/security/cve/CVE-2017-7807.html CVE-2017-7807 https://bugzilla.suse.com/1052829 SUSE Bug 1052829