openSUSE Security Update : Thunderbird (openSUSE-2016-1120)

High Nessus Plugin ID 93706

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

- update to Thunderbird 45.3.0 (boo#991809)

- Disposition-Notification-To could not be used in mail.compose.other.header

- 'edit as new message' on a received message pre-filled the sender as the composing identity.

- Certain messages caused corruption of the drafts summary database. security fixes :

- MFSA 2016-62/CVE-2016-2836 Miscellaneous memory safety hazards

- MFSA 2016-63/CVE-2016-2830 (bmo#1255270) Favicon network connection can persist when page is closed

- MFSA 2016-64/CVE-2016-2838 (bmo#1279814) Buffer overflow rendering SVG with bidirectional content

- MFSA 2016-65/CVE-2016-2839 (bmo#1275339) Cairo rendering crash due to memory allocation issue with FFmpeg 0.10

- MFSA 2016-67/CVE-2016-5252 (bmo#1268854) Stack underflow during 2D graphics rendering

- MFSA 2016-70/CVE-2016-5254 (bmo#1266963) Use-after-free when using alt key and toplevel menus

- MFSA 2016-72/CVE-2016-5258 (bmo#1279146) Use-after-free in DTLS during WebRTC session shutdown

- MFSA 2016-73/CVE-2016-5259 (bmo#1282992) Use-after-free in service workers with nested sync events

- MFSA 2016-76/CVE-2016-5262 (bmo#1277475) Scripts on marquee tag can execute in sandboxed iframes

- MFSA 2016-77/CVE-2016-2837 (bmo#1274637) Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback

- MFSA 2016-78/CVE-2016-5263 (bmo#1276897) Type confusion in display transformation

- MFSA 2016-79/CVE-2016-5264 (bmo#1286183) Use-after-free when applying SVG effects

- MFSA 2016-80/CVE-2016-5265 (bmo#1278013) Same-origin policy violation using local HTML file and saved shortcut file

- Fix for possible buffer overrun (boo#990856) CVE-2016-6354 (bmo#1292534) [mozilla-flex_buffer_overrun.patch]

- add a screenshot to appdata.xml

Solution

Update the affected Thunderbird packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1255270

https://bugzilla.mozilla.org/show_bug.cgi?id=1266963

https://bugzilla.mozilla.org/show_bug.cgi?id=1268854

https://bugzilla.mozilla.org/show_bug.cgi?id=1274637

https://bugzilla.mozilla.org/show_bug.cgi?id=1275339

https://bugzilla.mozilla.org/show_bug.cgi?id=1276897

https://bugzilla.mozilla.org/show_bug.cgi?id=1277475

https://bugzilla.mozilla.org/show_bug.cgi?id=1278013

https://bugzilla.mozilla.org/show_bug.cgi?id=1279146

https://bugzilla.mozilla.org/show_bug.cgi?id=1279814

https://bugzilla.mozilla.org/show_bug.cgi?id=1282992

https://bugzilla.mozilla.org/show_bug.cgi?id=1286183

https://bugzilla.mozilla.org/show_bug.cgi?id=1292534

https://bugzilla.opensuse.org/show_bug.cgi?id=990856

https://bugzilla.opensuse.org/show_bug.cgi?id=991809

Plugin Details

Severity: High

ID: 93706

File Name: openSUSE-2016-1120.nasl

Version: 2.3

Type: local

Agent: unix

Published: 2016/09/26

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2016/09/25

Reference Information

CVE: CVE-2016-2830, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-6354