openSUSE Security Update : MozillaThunderbird (openSUSE-2017-188)

critical Nessus Plugin ID 96941

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update to Mozilla Thunderbird 45.7.0 fixes security issues and bugs.

The following security issues from advisory MFSA 2017-03 were fixed (boo#1021991) In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts :

- CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (boo#1021814)

- CVE-2017-5376: Use-after-free in XSL (boo#1021817)

- CVE-2017-5378: Pointer and frame data leakage of JavaScript objects (boo#1021818)

- CVE-2017-5380: Potential use-after-free during DOM manipulations (boo#1021819)

- CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (boo#1021820)

- CVE-2017-5396: Use-after-free with Media Decoder (boo#1021821)

- CVE-2017-5383: Location bar spoofing with unicode characters (boo#1021822)

- CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 (boo#1021824)

The following non-security bugs were fixed :

- Message preview pane non-functional after IMAP folder was renamed or moved

- 'Move To' button on 'Search Messages' panel not working

- Message sent to 'undisclosed recipients' shows no recipient (non-functional since Thunderbird version 38)

Solution

Update the affected MozillaThunderbird packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1021814

https://bugzilla.opensuse.org/show_bug.cgi?id=1021817

https://bugzilla.opensuse.org/show_bug.cgi?id=1021818

https://bugzilla.opensuse.org/show_bug.cgi?id=1021819

https://bugzilla.opensuse.org/show_bug.cgi?id=1021820

https://bugzilla.opensuse.org/show_bug.cgi?id=1021821

https://bugzilla.opensuse.org/show_bug.cgi?id=1021822

https://bugzilla.opensuse.org/show_bug.cgi?id=1021824

https://bugzilla.opensuse.org/show_bug.cgi?id=1021991

Plugin Details

Severity: Critical

ID: 96941

File Name: openSUSE-2017-188.nasl

Version: 3.9

Type: local

Agent: unix

Published: 2/2/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/1/2017

Vulnerability Publication Date: 6/11/2018

Reference Information

CVE: CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396