Security update for Thunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0488-1 Final 1 1 2016-02-17T07:25:25Z current 2016-02-17T07:25:25Z 2016-02-17T07:25:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Thunderbird This update to 38.6.0 fixes the following issues: * MFSA 2016-01/CVE-2016-1930 Miscellaneous memory safety hazards * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) Buffer overflow in WebGL after out of memory allocation The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html E-Mail link for openSUSE-SU-2016:0488-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings MozillaThunderbird-38.6.0-70.74.1 MozillaThunderbird-buildsymbols-38.6.0-70.74.1 MozillaThunderbird-devel-38.6.0-70.74.1 MozillaThunderbird-translations-common-38.6.0-70.74.1 MozillaThunderbird-translations-other-38.6.0-70.74.1 Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. CVE-2015-7575 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html https://www.suse.com/security/cve/CVE-2015-7575.html CVE-2015-7575 https://bugzilla.suse.com/959888 SUSE Bug 959888 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/960996 SUSE Bug 960996 https://bugzilla.suse.com/961280 SUSE Bug 961280 https://bugzilla.suse.com/961281 SUSE Bug 961281 https://bugzilla.suse.com/961282 SUSE Bug 961282 https://bugzilla.suse.com/961283 SUSE Bug 961283 https://bugzilla.suse.com/961284 SUSE Bug 961284 https://bugzilla.suse.com/961290 SUSE Bug 961290 https://bugzilla.suse.com/961357 SUSE Bug 961357 https://bugzilla.suse.com/962743 SUSE Bug 962743 https://bugzilla.suse.com/963937 SUSE Bug 963937 https://bugzilla.suse.com/967521 SUSE Bug 967521 https://bugzilla.suse.com/981087 SUSE Bug 981087 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-1930 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-1930.html CVE-2016-1930 https://bugzilla.suse.com/963520 SUSE Bug 963520 https://bugzilla.suse.com/963632 SUSE Bug 963632 Buffer overflow in the BufferSubData function in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allows remote attackers to execute arbitrary code via crafted WebGL content. CVE-2016-1935 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html https://www.suse.com/security/cve/CVE-2016-1935.html CVE-2016-1935 https://bugzilla.suse.com/963520 SUSE Bug 963520 https://bugzilla.suse.com/963635 SUSE Bug 963635