openSUSE Security Update : MozillaThunderbird (openSUSE-2016-1057)

High Nessus Plugin ID 93363

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for MozillaThunderbird fixes the following issues :

 - update to Thunderbird 45.3.0 (boo#991809)

 - Disposition-Notification-To could not be used in mail.compose.other.header

 - 'edit as new message' on a received message pre-filled the sender as the composing identity.

 - Certain messages caused corruption of the drafts summary database. security fixes :

 - MFSA 2016-62/CVE-2016-2836 Miscellaneous memory safety hazards

 - MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed

 - MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content

 - MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10

 - MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering

 - MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus

 - MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown

 - MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events

 - MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes

 - MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback

 - MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation

 - MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects

 - MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file

 - Fix for possible buffer overrun (boo#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch]

 - add a screenshot to appdata.xml

Solution

Update the affected MozillaThunderbird packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=990856

https://bugzilla.opensuse.org/show_bug.cgi?id=991809

Plugin Details

Severity: High

ID: 93363

File Name: openSUSE-2016-1057.nasl

Version: 2.3

Type: local

Agent: unix

Published: 2016/09/08

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2016/09/06

Reference Information

CVE: CVE-2016-2830, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-6354