thunderbird-52.5.2-1.AXS4

エラータID: AXSA:2018-2506:01

Release date: 
Monday, January 8, 2018 - 16:38
Subject: 
thunderbird-52.5.2-1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 52.5.2.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829)

Asianux would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters.

CVE-2017-7829
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7846
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7847
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7848
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2017-7829
It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2.
CVE-2017-7846
It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2.
CVE-2017-7847
Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2.
CVE-2017-7848
RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2.
Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-52.5.2-1.AXS4.src.rpm
    MD5: 6b5443e58fbe6614e136122e0086cfda
    SHA-256: f396bb4357d05cdd79232c84411376ea11d9ed86d3bf33b1cd4d08417d5c50ab
    Size: 400.44 MB

Asianux Server 4 for x86
  1. thunderbird-52.5.2-1.AXS4.i686.rpm
    MD5: 6d7ca47f11c2f981cc5fdef85eac62f5
    SHA-256: 72d5d39f965bb144674a647bb9687201dc703b5b463e03479ba90cae66abb8ef
    Size: 72.86 MB

Asianux Server 4 for x86_64
  1. thunderbird-52.5.2-1.AXS4.x86_64.rpm
    MD5: 00c150461964bc60c62d2e8452bc0234
    SHA-256: 89a6ca4bb05c5accf246c5719277dd7501440369c1b8827388fc02c476e25996
    Size: 72.30 MB