MozillaThunderbird-91.1.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10601 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaThunderbird-91.1.1-1.1 on GA media These are all security issues fixed in the MozillaThunderbird-91.1.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10601 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10601 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-3089/ SUSE CVE CVE-2007-3089 page https://www.suse.com/security/cve/CVE-2007-3285/ SUSE CVE CVE-2007-3285 page https://www.suse.com/security/cve/CVE-2007-3656/ SUSE CVE CVE-2007-3656 page https://www.suse.com/security/cve/CVE-2007-3670/ SUSE CVE CVE-2007-3670 page https://www.suse.com/security/cve/CVE-2007-3734/ SUSE CVE CVE-2007-3734 page https://www.suse.com/security/cve/CVE-2007-3735/ SUSE CVE CVE-2007-3735 page https://www.suse.com/security/cve/CVE-2007-3736/ SUSE CVE CVE-2007-3736 page https://www.suse.com/security/cve/CVE-2007-3737/ SUSE CVE CVE-2007-3737 page https://www.suse.com/security/cve/CVE-2007-3738/ SUSE CVE CVE-2007-3738 page https://www.suse.com/security/cve/CVE-2008-0016/ SUSE CVE CVE-2008-0016 page https://www.suse.com/security/cve/CVE-2008-1233/ SUSE CVE CVE-2008-1233 page https://www.suse.com/security/cve/CVE-2008-1236/ SUSE CVE CVE-2008-1236 page https://www.suse.com/security/cve/CVE-2008-3835/ SUSE CVE CVE-2008-3835 page https://www.suse.com/security/cve/CVE-2008-4058/ SUSE CVE CVE-2008-4058 page https://www.suse.com/security/cve/CVE-2008-4061/ SUSE CVE CVE-2008-4061 page https://www.suse.com/security/cve/CVE-2008-4064/ SUSE CVE CVE-2008-4064 page https://www.suse.com/security/cve/CVE-2008-4065/ SUSE CVE CVE-2008-4065 page https://www.suse.com/security/cve/CVE-2008-4067/ SUSE CVE CVE-2008-4067 page https://www.suse.com/security/cve/CVE-2008-4070/ SUSE CVE CVE-2008-4070 page https://www.suse.com/security/cve/CVE-2008-5012/ SUSE CVE CVE-2008-5012 page https://www.suse.com/security/cve/CVE-2008-5014/ SUSE CVE CVE-2008-5014 page https://www.suse.com/security/cve/CVE-2008-5016/ SUSE CVE CVE-2008-5016 page https://www.suse.com/security/cve/CVE-2008-5021/ SUSE CVE CVE-2008-5021 page https://www.suse.com/security/cve/CVE-2008-5022/ SUSE CVE CVE-2008-5022 page https://www.suse.com/security/cve/CVE-2008-5024/ SUSE CVE CVE-2008-5024 page https://www.suse.com/security/cve/CVE-2008-5500/ SUSE CVE CVE-2008-5500 page https://www.suse.com/security/cve/CVE-2008-5503/ SUSE CVE CVE-2008-5503 page https://www.suse.com/security/cve/CVE-2008-5506/ SUSE CVE CVE-2008-5506 page https://www.suse.com/security/cve/CVE-2008-5507/ SUSE CVE CVE-2008-5507 page https://www.suse.com/security/cve/CVE-2008-5508/ SUSE CVE CVE-2008-5508 page https://www.suse.com/security/cve/CVE-2008-5510/ SUSE CVE CVE-2008-5510 page https://www.suse.com/security/cve/CVE-2008-5511/ SUSE CVE CVE-2008-5511 page https://www.suse.com/security/cve/CVE-2016-5824/ SUSE CVE CVE-2016-5824 page https://www.suse.com/security/cve/CVE-2016-9893/ SUSE CVE CVE-2016-9893 page https://www.suse.com/security/cve/CVE-2016-9895/ SUSE CVE CVE-2016-9895 page https://www.suse.com/security/cve/CVE-2016-9897/ SUSE CVE CVE-2016-9897 page https://www.suse.com/security/cve/CVE-2016-9898/ SUSE CVE CVE-2016-9898 page https://www.suse.com/security/cve/CVE-2016-9899/ SUSE CVE CVE-2016-9899 page https://www.suse.com/security/cve/CVE-2016-9900/ SUSE CVE CVE-2016-9900 page https://www.suse.com/security/cve/CVE-2016-9904/ SUSE CVE CVE-2016-9904 page https://www.suse.com/security/cve/CVE-2016-9905/ SUSE CVE CVE-2016-9905 page https://www.suse.com/security/cve/CVE-2017-16541/ SUSE CVE CVE-2017-16541 page https://www.suse.com/security/cve/CVE-2017-5373/ SUSE CVE CVE-2017-5373 page https://www.suse.com/security/cve/CVE-2017-5375/ SUSE CVE CVE-2017-5375 page https://www.suse.com/security/cve/CVE-2017-5376/ SUSE CVE CVE-2017-5376 page https://www.suse.com/security/cve/CVE-2017-5378/ SUSE CVE CVE-2017-5378 page https://www.suse.com/security/cve/CVE-2017-5380/ SUSE CVE CVE-2017-5380 page https://www.suse.com/security/cve/CVE-2017-5383/ SUSE CVE CVE-2017-5383 page https://www.suse.com/security/cve/CVE-2017-5390/ SUSE CVE CVE-2017-5390 page https://www.suse.com/security/cve/CVE-2017-5396/ SUSE CVE CVE-2017-5396 page https://www.suse.com/security/cve/CVE-2017-5398/ SUSE CVE CVE-2017-5398 page https://www.suse.com/security/cve/CVE-2017-5399/ SUSE CVE CVE-2017-5399 page https://www.suse.com/security/cve/CVE-2017-5400/ SUSE CVE CVE-2017-5400 page https://www.suse.com/security/cve/CVE-2017-5401/ SUSE CVE CVE-2017-5401 page https://www.suse.com/security/cve/CVE-2017-5402/ SUSE CVE CVE-2017-5402 page https://www.suse.com/security/cve/CVE-2017-5403/ SUSE CVE CVE-2017-5403 page https://www.suse.com/security/cve/CVE-2017-5404/ SUSE CVE CVE-2017-5404 page https://www.suse.com/security/cve/CVE-2017-5405/ SUSE CVE CVE-2017-5405 page https://www.suse.com/security/cve/CVE-2017-5406/ SUSE CVE CVE-2017-5406 page https://www.suse.com/security/cve/CVE-2017-5407/ SUSE CVE CVE-2017-5407 page https://www.suse.com/security/cve/CVE-2017-5408/ SUSE CVE CVE-2017-5408 page https://www.suse.com/security/cve/CVE-2017-5410/ SUSE CVE CVE-2017-5410 page https://www.suse.com/security/cve/CVE-2017-5412/ SUSE CVE CVE-2017-5412 page https://www.suse.com/security/cve/CVE-2017-5413/ SUSE CVE CVE-2017-5413 page https://www.suse.com/security/cve/CVE-2017-5414/ SUSE CVE CVE-2017-5414 page https://www.suse.com/security/cve/CVE-2017-5416/ SUSE CVE CVE-2017-5416 page https://www.suse.com/security/cve/CVE-2017-5418/ SUSE CVE CVE-2017-5418 page https://www.suse.com/security/cve/CVE-2017-5419/ SUSE CVE CVE-2017-5419 page https://www.suse.com/security/cve/CVE-2017-5421/ SUSE CVE CVE-2017-5421 page https://www.suse.com/security/cve/CVE-2017-5422/ SUSE CVE CVE-2017-5422 page https://www.suse.com/security/cve/CVE-2017-5426/ SUSE CVE CVE-2017-5426 page https://www.suse.com/security/cve/CVE-2017-5429/ SUSE CVE CVE-2017-5429 page https://www.suse.com/security/cve/CVE-2017-5430/ SUSE CVE CVE-2017-5430 page https://www.suse.com/security/cve/CVE-2017-5432/ SUSE CVE CVE-2017-5432 page https://www.suse.com/security/cve/CVE-2017-5433/ SUSE CVE CVE-2017-5433 page https://www.suse.com/security/cve/CVE-2017-5434/ SUSE CVE CVE-2017-5434 page https://www.suse.com/security/cve/CVE-2017-5435/ SUSE CVE CVE-2017-5435 page https://www.suse.com/security/cve/CVE-2017-5436/ SUSE CVE CVE-2017-5436 page https://www.suse.com/security/cve/CVE-2017-5437/ SUSE CVE CVE-2017-5437 page https://www.suse.com/security/cve/CVE-2017-5438/ SUSE CVE CVE-2017-5438 page https://www.suse.com/security/cve/CVE-2017-5439/ SUSE CVE CVE-2017-5439 page https://www.suse.com/security/cve/CVE-2017-5440/ SUSE CVE CVE-2017-5440 page https://www.suse.com/security/cve/CVE-2017-5441/ SUSE CVE CVE-2017-5441 page https://www.suse.com/security/cve/CVE-2017-5442/ SUSE CVE CVE-2017-5442 page https://www.suse.com/security/cve/CVE-2017-5443/ SUSE CVE CVE-2017-5443 page https://www.suse.com/security/cve/CVE-2017-5444/ SUSE CVE CVE-2017-5444 page https://www.suse.com/security/cve/CVE-2017-5445/ SUSE CVE CVE-2017-5445 page https://www.suse.com/security/cve/CVE-2017-5446/ SUSE CVE CVE-2017-5446 page https://www.suse.com/security/cve/CVE-2017-5447/ SUSE CVE CVE-2017-5447 page https://www.suse.com/security/cve/CVE-2017-5449/ SUSE CVE CVE-2017-5449 page https://www.suse.com/security/cve/CVE-2017-5451/ SUSE CVE CVE-2017-5451 page https://www.suse.com/security/cve/CVE-2017-5454/ SUSE CVE CVE-2017-5454 page https://www.suse.com/security/cve/CVE-2017-5459/ SUSE CVE CVE-2017-5459 page https://www.suse.com/security/cve/CVE-2017-5460/ SUSE CVE CVE-2017-5460 page https://www.suse.com/security/cve/CVE-2017-5461/ SUSE CVE CVE-2017-5461 page https://www.suse.com/security/cve/CVE-2017-5462/ SUSE CVE CVE-2017-5462 page https://www.suse.com/security/cve/CVE-2017-5464/ SUSE CVE CVE-2017-5464 page https://www.suse.com/security/cve/CVE-2017-5465/ SUSE CVE CVE-2017-5465 page https://www.suse.com/security/cve/CVE-2017-5466/ SUSE CVE CVE-2017-5466 page https://www.suse.com/security/cve/CVE-2017-5467/ SUSE CVE CVE-2017-5467 page https://www.suse.com/security/cve/CVE-2017-5469/ SUSE CVE CVE-2017-5469 page https://www.suse.com/security/cve/CVE-2017-5470/ SUSE CVE CVE-2017-5470 page https://www.suse.com/security/cve/CVE-2017-5472/ SUSE CVE CVE-2017-5472 page https://www.suse.com/security/cve/CVE-2017-7749/ SUSE CVE CVE-2017-7749 page https://www.suse.com/security/cve/CVE-2017-7750/ SUSE CVE CVE-2017-7750 page https://www.suse.com/security/cve/CVE-2017-7751/ SUSE CVE CVE-2017-7751 page https://www.suse.com/security/cve/CVE-2017-7752/ SUSE CVE CVE-2017-7752 page https://www.suse.com/security/cve/CVE-2017-7753/ SUSE CVE CVE-2017-7753 page https://www.suse.com/security/cve/CVE-2017-7754/ SUSE CVE CVE-2017-7754 page https://www.suse.com/security/cve/CVE-2017-7756/ SUSE CVE CVE-2017-7756 page https://www.suse.com/security/cve/CVE-2017-7757/ SUSE CVE CVE-2017-7757 page https://www.suse.com/security/cve/CVE-2017-7758/ SUSE CVE CVE-2017-7758 page https://www.suse.com/security/cve/CVE-2017-7763/ SUSE CVE CVE-2017-7763 page https://www.suse.com/security/cve/CVE-2017-7764/ SUSE CVE CVE-2017-7764 page https://www.suse.com/security/cve/CVE-2017-7765/ SUSE CVE CVE-2017-7765 page https://www.suse.com/security/cve/CVE-2017-7773/ SUSE CVE CVE-2017-7773 page https://www.suse.com/security/cve/CVE-2017-7777/ SUSE CVE CVE-2017-7777 page https://www.suse.com/security/cve/CVE-2017-7778/ SUSE CVE CVE-2017-7778 page https://www.suse.com/security/cve/CVE-2017-7779/ SUSE CVE CVE-2017-7779 page https://www.suse.com/security/cve/CVE-2017-7782/ SUSE CVE CVE-2017-7782 page https://www.suse.com/security/cve/CVE-2017-7784/ SUSE CVE CVE-2017-7784 page https://www.suse.com/security/cve/CVE-2017-7785/ SUSE CVE CVE-2017-7785 page https://www.suse.com/security/cve/CVE-2017-7786/ SUSE CVE CVE-2017-7786 page https://www.suse.com/security/cve/CVE-2017-7787/ SUSE CVE CVE-2017-7787 page https://www.suse.com/security/cve/CVE-2017-7791/ SUSE CVE CVE-2017-7791 page https://www.suse.com/security/cve/CVE-2017-7792/ SUSE CVE CVE-2017-7792 page https://www.suse.com/security/cve/CVE-2017-7793/ SUSE CVE CVE-2017-7793 page https://www.suse.com/security/cve/CVE-2017-7798/ SUSE CVE CVE-2017-7798 page https://www.suse.com/security/cve/CVE-2017-7800/ SUSE CVE CVE-2017-7800 page https://www.suse.com/security/cve/CVE-2017-7801/ SUSE CVE CVE-2017-7801 page https://www.suse.com/security/cve/CVE-2017-7802/ SUSE CVE CVE-2017-7802 page https://www.suse.com/security/cve/CVE-2017-7803/ SUSE CVE CVE-2017-7803 page https://www.suse.com/security/cve/CVE-2017-7804/ SUSE CVE CVE-2017-7804 page https://www.suse.com/security/cve/CVE-2017-7805/ SUSE CVE CVE-2017-7805 page https://www.suse.com/security/cve/CVE-2017-7807/ SUSE CVE CVE-2017-7807 page https://www.suse.com/security/cve/CVE-2017-7810/ SUSE CVE CVE-2017-7810 page https://www.suse.com/security/cve/CVE-2017-7814/ SUSE CVE CVE-2017-7814 page https://www.suse.com/security/cve/CVE-2017-7818/ SUSE CVE CVE-2017-7818 page https://www.suse.com/security/cve/CVE-2017-7819/ SUSE CVE CVE-2017-7819 page https://www.suse.com/security/cve/CVE-2017-7823/ SUSE CVE CVE-2017-7823 page https://www.suse.com/security/cve/CVE-2017-7824/ SUSE CVE CVE-2017-7824 page https://www.suse.com/security/cve/CVE-2017-7825/ SUSE CVE CVE-2017-7825 page https://www.suse.com/security/cve/CVE-2017-7826/ SUSE CVE CVE-2017-7826 page https://www.suse.com/security/cve/CVE-2017-7828/ SUSE CVE CVE-2017-7828 page https://www.suse.com/security/cve/CVE-2017-7829/ SUSE CVE CVE-2017-7829 page https://www.suse.com/security/cve/CVE-2017-7830/ SUSE CVE CVE-2017-7830 page https://www.suse.com/security/cve/CVE-2017-7845/ SUSE CVE CVE-2017-7845 page https://www.suse.com/security/cve/CVE-2017-7846/ SUSE CVE CVE-2017-7846 page https://www.suse.com/security/cve/CVE-2017-7847/ SUSE CVE CVE-2017-7847 page https://www.suse.com/security/cve/CVE-2017-7848/ SUSE CVE CVE-2017-7848 page https://www.suse.com/security/cve/CVE-2018-12359/ SUSE CVE CVE-2018-12359 page https://www.suse.com/security/cve/CVE-2018-12360/ SUSE CVE CVE-2018-12360 page https://www.suse.com/security/cve/CVE-2018-12361/ SUSE CVE CVE-2018-12361 page https://www.suse.com/security/cve/CVE-2018-12362/ SUSE CVE CVE-2018-12362 page https://www.suse.com/security/cve/CVE-2018-12363/ SUSE CVE CVE-2018-12363 page https://www.suse.com/security/cve/CVE-2018-12364/ SUSE CVE CVE-2018-12364 page https://www.suse.com/security/cve/CVE-2018-12365/ SUSE CVE CVE-2018-12365 page https://www.suse.com/security/cve/CVE-2018-12366/ SUSE CVE CVE-2018-12366 page https://www.suse.com/security/cve/CVE-2018-12367/ SUSE CVE CVE-2018-12367 page https://www.suse.com/security/cve/CVE-2018-12371/ SUSE CVE CVE-2018-12371 page https://www.suse.com/security/cve/CVE-2018-12372/ SUSE CVE CVE-2018-12372 page https://www.suse.com/security/cve/CVE-2018-12373/ SUSE CVE CVE-2018-12373 page https://www.suse.com/security/cve/CVE-2018-12374/ SUSE CVE CVE-2018-12374 page https://www.suse.com/security/cve/CVE-2018-12376/ SUSE CVE CVE-2018-12376 page https://www.suse.com/security/cve/CVE-2018-12377/ SUSE CVE CVE-2018-12377 page https://www.suse.com/security/cve/CVE-2018-12378/ SUSE CVE CVE-2018-12378 page https://www.suse.com/security/cve/CVE-2018-12383/ SUSE CVE CVE-2018-12383 page https://www.suse.com/security/cve/CVE-2018-12385/ SUSE CVE CVE-2018-12385 page https://www.suse.com/security/cve/CVE-2018-12389/ SUSE CVE CVE-2018-12389 page https://www.suse.com/security/cve/CVE-2018-12390/ SUSE CVE CVE-2018-12390 page https://www.suse.com/security/cve/CVE-2018-12391/ SUSE CVE CVE-2018-12391 page https://www.suse.com/security/cve/CVE-2018-12392/ SUSE CVE CVE-2018-12392 page https://www.suse.com/security/cve/CVE-2018-12393/ SUSE CVE CVE-2018-12393 page https://www.suse.com/security/cve/CVE-2018-12405/ SUSE CVE CVE-2018-12405 page https://www.suse.com/security/cve/CVE-2018-17466/ SUSE CVE CVE-2018-17466 page https://www.suse.com/security/cve/CVE-2018-18335/ SUSE CVE CVE-2018-18335 page https://www.suse.com/security/cve/CVE-2018-18356/ SUSE CVE CVE-2018-18356 page https://www.suse.com/security/cve/CVE-2018-18492/ SUSE CVE CVE-2018-18492 page https://www.suse.com/security/cve/CVE-2018-18493/ SUSE CVE CVE-2018-18493 page https://www.suse.com/security/cve/CVE-2018-18494/ SUSE CVE CVE-2018-18494 page https://www.suse.com/security/cve/CVE-2018-18498/ SUSE CVE CVE-2018-18498 page https://www.suse.com/security/cve/CVE-2018-18500/ SUSE CVE CVE-2018-18500 page https://www.suse.com/security/cve/CVE-2018-18501/ SUSE CVE CVE-2018-18501 page https://www.suse.com/security/cve/CVE-2018-18505/ SUSE CVE CVE-2018-18505 page https://www.suse.com/security/cve/CVE-2018-18509/ SUSE CVE CVE-2018-18509 page https://www.suse.com/security/cve/CVE-2018-18511/ SUSE CVE CVE-2018-18511 page https://www.suse.com/security/cve/CVE-2018-5089/ SUSE CVE CVE-2018-5089 page https://www.suse.com/security/cve/CVE-2018-5095/ SUSE CVE CVE-2018-5095 page https://www.suse.com/security/cve/CVE-2018-5096/ SUSE CVE CVE-2018-5096 page https://www.suse.com/security/cve/CVE-2018-5097/ SUSE CVE CVE-2018-5097 page https://www.suse.com/security/cve/CVE-2018-5098/ SUSE CVE CVE-2018-5098 page https://www.suse.com/security/cve/CVE-2018-5099/ SUSE CVE CVE-2018-5099 page https://www.suse.com/security/cve/CVE-2018-5102/ SUSE CVE CVE-2018-5102 page https://www.suse.com/security/cve/CVE-2018-5103/ SUSE CVE CVE-2018-5103 page https://www.suse.com/security/cve/CVE-2018-5104/ SUSE CVE CVE-2018-5104 page https://www.suse.com/security/cve/CVE-2018-5117/ SUSE CVE CVE-2018-5117 page https://www.suse.com/security/cve/CVE-2018-5125/ SUSE CVE CVE-2018-5125 page https://www.suse.com/security/cve/CVE-2018-5127/ SUSE CVE CVE-2018-5127 page https://www.suse.com/security/cve/CVE-2018-5129/ SUSE CVE CVE-2018-5129 page https://www.suse.com/security/cve/CVE-2018-5144/ SUSE CVE CVE-2018-5144 page https://www.suse.com/security/cve/CVE-2018-5145/ SUSE CVE CVE-2018-5145 page https://www.suse.com/security/cve/CVE-2018-5146/ SUSE CVE CVE-2018-5146 page https://www.suse.com/security/cve/CVE-2018-5150/ SUSE CVE CVE-2018-5150 page https://www.suse.com/security/cve/CVE-2018-5154/ SUSE CVE CVE-2018-5154 page https://www.suse.com/security/cve/CVE-2018-5155/ SUSE CVE CVE-2018-5155 page https://www.suse.com/security/cve/CVE-2018-5156/ SUSE CVE CVE-2018-5156 page https://www.suse.com/security/cve/CVE-2018-5159/ SUSE CVE CVE-2018-5159 page https://www.suse.com/security/cve/CVE-2018-5161/ SUSE CVE CVE-2018-5161 page https://www.suse.com/security/cve/CVE-2018-5162/ SUSE CVE CVE-2018-5162 page https://www.suse.com/security/cve/CVE-2018-5168/ SUSE CVE CVE-2018-5168 page https://www.suse.com/security/cve/CVE-2018-5170/ SUSE CVE CVE-2018-5170 page https://www.suse.com/security/cve/CVE-2018-5174/ SUSE CVE CVE-2018-5174 page https://www.suse.com/security/cve/CVE-2018-5178/ SUSE CVE CVE-2018-5178 page https://www.suse.com/security/cve/CVE-2018-5183/ SUSE CVE CVE-2018-5183 page https://www.suse.com/security/cve/CVE-2018-5184/ SUSE CVE CVE-2018-5184 page https://www.suse.com/security/cve/CVE-2018-5185/ SUSE CVE CVE-2018-5185 page https://www.suse.com/security/cve/CVE-2018-5187/ SUSE CVE CVE-2018-5187 page https://www.suse.com/security/cve/CVE-2018-5188/ SUSE CVE CVE-2018-5188 page https://www.suse.com/security/cve/CVE-2019-11691/ SUSE CVE CVE-2019-11691 page https://www.suse.com/security/cve/CVE-2019-11692/ SUSE CVE CVE-2019-11692 page https://www.suse.com/security/cve/CVE-2019-11693/ SUSE CVE CVE-2019-11693 page https://www.suse.com/security/cve/CVE-2019-11694/ SUSE CVE CVE-2019-11694 page https://www.suse.com/security/cve/CVE-2019-11698/ SUSE CVE CVE-2019-11698 page https://www.suse.com/security/cve/CVE-2019-11703/ SUSE CVE CVE-2019-11703 page https://www.suse.com/security/cve/CVE-2019-11704/ SUSE CVE CVE-2019-11704 page https://www.suse.com/security/cve/CVE-2019-11705/ SUSE CVE CVE-2019-11705 page https://www.suse.com/security/cve/CVE-2019-11706/ SUSE CVE CVE-2019-11706 page https://www.suse.com/security/cve/CVE-2019-11707/ SUSE CVE CVE-2019-11707 page https://www.suse.com/security/cve/CVE-2019-11708/ SUSE CVE CVE-2019-11708 page https://www.suse.com/security/cve/CVE-2019-11709/ SUSE CVE CVE-2019-11709 page https://www.suse.com/security/cve/CVE-2019-11711/ SUSE CVE CVE-2019-11711 page https://www.suse.com/security/cve/CVE-2019-11712/ SUSE CVE CVE-2019-11712 page https://www.suse.com/security/cve/CVE-2019-11713/ SUSE CVE CVE-2019-11713 page https://www.suse.com/security/cve/CVE-2019-11715/ SUSE CVE CVE-2019-11715 page https://www.suse.com/security/cve/CVE-2019-11717/ SUSE CVE CVE-2019-11717 page https://www.suse.com/security/cve/CVE-2019-11719/ SUSE CVE CVE-2019-11719 page https://www.suse.com/security/cve/CVE-2019-11729/ SUSE CVE CVE-2019-11729 page https://www.suse.com/security/cve/CVE-2019-11730/ SUSE CVE CVE-2019-11730 page https://www.suse.com/security/cve/CVE-2019-11739/ SUSE CVE CVE-2019-11739 page https://www.suse.com/security/cve/CVE-2019-11740/ SUSE CVE CVE-2019-11740 page https://www.suse.com/security/cve/CVE-2019-11742/ SUSE CVE CVE-2019-11742 page https://www.suse.com/security/cve/CVE-2019-11743/ SUSE CVE CVE-2019-11743 page https://www.suse.com/security/cve/CVE-2019-11744/ SUSE CVE CVE-2019-11744 page https://www.suse.com/security/cve/CVE-2019-11746/ SUSE CVE CVE-2019-11746 page https://www.suse.com/security/cve/CVE-2019-11752/ SUSE CVE CVE-2019-11752 page https://www.suse.com/security/cve/CVE-2019-11755/ SUSE CVE CVE-2019-11755 page https://www.suse.com/security/cve/CVE-2019-11757/ SUSE CVE CVE-2019-11757 page https://www.suse.com/security/cve/CVE-2019-11758/ SUSE CVE CVE-2019-11758 page https://www.suse.com/security/cve/CVE-2019-11759/ SUSE CVE CVE-2019-11759 page https://www.suse.com/security/cve/CVE-2019-11760/ SUSE CVE CVE-2019-11760 page https://www.suse.com/security/cve/CVE-2019-11761/ SUSE CVE CVE-2019-11761 page https://www.suse.com/security/cve/CVE-2019-11762/ SUSE CVE CVE-2019-11762 page https://www.suse.com/security/cve/CVE-2019-11763/ SUSE CVE CVE-2019-11763 page https://www.suse.com/security/cve/CVE-2019-11764/ SUSE CVE CVE-2019-11764 page https://www.suse.com/security/cve/CVE-2019-13722/ SUSE CVE CVE-2019-13722 page https://www.suse.com/security/cve/CVE-2019-15903/ SUSE CVE CVE-2019-15903 page https://www.suse.com/security/cve/CVE-2019-17005/ SUSE CVE CVE-2019-17005 page https://www.suse.com/security/cve/CVE-2019-17008/ SUSE CVE CVE-2019-17008 page https://www.suse.com/security/cve/CVE-2019-17010/ SUSE CVE CVE-2019-17010 page https://www.suse.com/security/cve/CVE-2019-17011/ SUSE CVE CVE-2019-17011 page https://www.suse.com/security/cve/CVE-2019-17012/ SUSE CVE CVE-2019-17012 page https://www.suse.com/security/cve/CVE-2019-17015/ SUSE CVE CVE-2019-17015 page https://www.suse.com/security/cve/CVE-2019-17016/ SUSE CVE CVE-2019-17016 page https://www.suse.com/security/cve/CVE-2019-17017/ SUSE CVE CVE-2019-17017 page https://www.suse.com/security/cve/CVE-2019-17021/ SUSE CVE CVE-2019-17021 page https://www.suse.com/security/cve/CVE-2019-17022/ SUSE CVE CVE-2019-17022 page https://www.suse.com/security/cve/CVE-2019-17024/ SUSE CVE CVE-2019-17024 page https://www.suse.com/security/cve/CVE-2019-17026/ SUSE CVE CVE-2019-17026 page https://www.suse.com/security/cve/CVE-2019-20503/ SUSE CVE CVE-2019-20503 page https://www.suse.com/security/cve/CVE-2019-5785/ SUSE CVE CVE-2019-5785 page https://www.suse.com/security/cve/CVE-2019-5798/ SUSE CVE CVE-2019-5798 page https://www.suse.com/security/cve/CVE-2019-7317/ SUSE CVE CVE-2019-7317 page https://www.suse.com/security/cve/CVE-2019-9797/ SUSE CVE CVE-2019-9797 page https://www.suse.com/security/cve/CVE-2019-9800/ SUSE CVE CVE-2019-9800 page https://www.suse.com/security/cve/CVE-2019-9810/ SUSE CVE CVE-2019-9810 page https://www.suse.com/security/cve/CVE-2019-9811/ SUSE CVE CVE-2019-9811 page https://www.suse.com/security/cve/CVE-2019-9813/ SUSE CVE CVE-2019-9813 page https://www.suse.com/security/cve/CVE-2019-9815/ SUSE CVE CVE-2019-9815 page https://www.suse.com/security/cve/CVE-2019-9816/ SUSE CVE CVE-2019-9816 page https://www.suse.com/security/cve/CVE-2019-9817/ SUSE CVE CVE-2019-9817 page https://www.suse.com/security/cve/CVE-2019-9818/ SUSE CVE CVE-2019-9818 page https://www.suse.com/security/cve/CVE-2019-9819/ SUSE CVE CVE-2019-9819 page https://www.suse.com/security/cve/CVE-2019-9820/ SUSE CVE CVE-2019-9820 page https://www.suse.com/security/cve/CVE-2020-12387/ SUSE CVE CVE-2020-12387 page https://www.suse.com/security/cve/CVE-2020-12392/ SUSE CVE CVE-2020-12392 page https://www.suse.com/security/cve/CVE-2020-12393/ SUSE CVE CVE-2020-12393 page https://www.suse.com/security/cve/CVE-2020-12395/ SUSE CVE CVE-2020-12395 page https://www.suse.com/security/cve/CVE-2020-12397/ SUSE CVE CVE-2020-12397 page https://www.suse.com/security/cve/CVE-2020-12398/ SUSE CVE CVE-2020-12398 page https://www.suse.com/security/cve/CVE-2020-12405/ SUSE CVE CVE-2020-12405 page https://www.suse.com/security/cve/CVE-2020-12406/ SUSE CVE CVE-2020-12406 page https://www.suse.com/security/cve/CVE-2020-12410/ SUSE CVE CVE-2020-12410 page https://www.suse.com/security/cve/CVE-2020-12417/ SUSE CVE CVE-2020-12417 page https://www.suse.com/security/cve/CVE-2020-12418/ SUSE CVE CVE-2020-12418 page https://www.suse.com/security/cve/CVE-2020-12419/ SUSE CVE CVE-2020-12419 page https://www.suse.com/security/cve/CVE-2020-12420/ SUSE CVE CVE-2020-12420 page https://www.suse.com/security/cve/CVE-2020-12421/ SUSE CVE CVE-2020-12421 page https://www.suse.com/security/cve/CVE-2020-15652/ SUSE CVE CVE-2020-15652 page https://www.suse.com/security/cve/CVE-2020-15659/ SUSE CVE CVE-2020-15659 page https://www.suse.com/security/cve/CVE-2020-15663/ SUSE CVE CVE-2020-15663 page https://www.suse.com/security/cve/CVE-2020-15664/ SUSE CVE CVE-2020-15664 page https://www.suse.com/security/cve/CVE-2020-15669/ SUSE CVE CVE-2020-15669 page https://www.suse.com/security/cve/CVE-2020-15673/ SUSE CVE CVE-2020-15673 page https://www.suse.com/security/cve/CVE-2020-15676/ SUSE CVE CVE-2020-15676 page https://www.suse.com/security/cve/CVE-2020-15677/ SUSE CVE CVE-2020-15677 page https://www.suse.com/security/cve/CVE-2020-15678/ SUSE CVE CVE-2020-15678 page https://www.suse.com/security/cve/CVE-2020-15683/ SUSE CVE CVE-2020-15683 page https://www.suse.com/security/cve/CVE-2020-15685/ SUSE CVE CVE-2020-15685 page https://www.suse.com/security/cve/CVE-2020-15969/ SUSE CVE CVE-2020-15969 page https://www.suse.com/security/cve/CVE-2020-15999/ SUSE CVE CVE-2020-15999 page https://www.suse.com/security/cve/CVE-2020-16012/ SUSE CVE CVE-2020-16012 page https://www.suse.com/security/cve/CVE-2020-16042/ SUSE CVE CVE-2020-16042 page https://www.suse.com/security/cve/CVE-2020-16044/ SUSE CVE CVE-2020-16044 page https://www.suse.com/security/cve/CVE-2020-26950/ SUSE CVE CVE-2020-26950 page https://www.suse.com/security/cve/CVE-2020-26951/ SUSE CVE CVE-2020-26951 page https://www.suse.com/security/cve/CVE-2020-26953/ SUSE CVE CVE-2020-26953 page https://www.suse.com/security/cve/CVE-2020-26956/ SUSE CVE CVE-2020-26956 page https://www.suse.com/security/cve/CVE-2020-26958/ SUSE CVE CVE-2020-26958 page https://www.suse.com/security/cve/CVE-2020-26959/ SUSE CVE CVE-2020-26959 page https://www.suse.com/security/cve/CVE-2020-26960/ SUSE CVE CVE-2020-26960 page https://www.suse.com/security/cve/CVE-2020-26961/ SUSE CVE CVE-2020-26961 page https://www.suse.com/security/cve/CVE-2020-26965/ SUSE CVE CVE-2020-26965 page https://www.suse.com/security/cve/CVE-2020-26966/ SUSE CVE CVE-2020-26966 page https://www.suse.com/security/cve/CVE-2020-26968/ SUSE CVE CVE-2020-26968 page https://www.suse.com/security/cve/CVE-2020-26970/ SUSE CVE CVE-2020-26970 page https://www.suse.com/security/cve/CVE-2020-26971/ SUSE CVE CVE-2020-26971 page https://www.suse.com/security/cve/CVE-2020-26973/ SUSE CVE CVE-2020-26973 page https://www.suse.com/security/cve/CVE-2020-26974/ SUSE CVE CVE-2020-26974 page https://www.suse.com/security/cve/CVE-2020-26976/ SUSE CVE CVE-2020-26976 page https://www.suse.com/security/cve/CVE-2020-26978/ SUSE CVE CVE-2020-26978 page https://www.suse.com/security/cve/CVE-2020-35111/ SUSE CVE CVE-2020-35111 page https://www.suse.com/security/cve/CVE-2020-35112/ SUSE CVE CVE-2020-35112 page https://www.suse.com/security/cve/CVE-2020-35113/ SUSE CVE CVE-2020-35113 page https://www.suse.com/security/cve/CVE-2020-6463/ SUSE CVE CVE-2020-6463 page https://www.suse.com/security/cve/CVE-2020-6514/ SUSE CVE CVE-2020-6514 page https://www.suse.com/security/cve/CVE-2020-6792/ SUSE CVE CVE-2020-6792 page https://www.suse.com/security/cve/CVE-2020-6793/ SUSE CVE CVE-2020-6793 page https://www.suse.com/security/cve/CVE-2020-6794/ SUSE CVE CVE-2020-6794 page https://www.suse.com/security/cve/CVE-2020-6795/ SUSE CVE CVE-2020-6795 page https://www.suse.com/security/cve/CVE-2020-6797/ SUSE CVE CVE-2020-6797 page https://www.suse.com/security/cve/CVE-2020-6798/ SUSE CVE CVE-2020-6798 page https://www.suse.com/security/cve/CVE-2020-6800/ SUSE CVE CVE-2020-6800 page https://www.suse.com/security/cve/CVE-2020-6805/ SUSE CVE CVE-2020-6805 page https://www.suse.com/security/cve/CVE-2020-6806/ SUSE CVE CVE-2020-6806 page https://www.suse.com/security/cve/CVE-2020-6807/ SUSE CVE CVE-2020-6807 page https://www.suse.com/security/cve/CVE-2020-6811/ SUSE CVE CVE-2020-6811 page https://www.suse.com/security/cve/CVE-2020-6812/ SUSE CVE CVE-2020-6812 page https://www.suse.com/security/cve/CVE-2020-6814/ SUSE CVE CVE-2020-6814 page https://www.suse.com/security/cve/CVE-2020-6819/ SUSE CVE CVE-2020-6819 page https://www.suse.com/security/cve/CVE-2020-6820/ SUSE CVE CVE-2020-6820 page https://www.suse.com/security/cve/CVE-2020-6821/ SUSE CVE CVE-2020-6821 page https://www.suse.com/security/cve/CVE-2020-6822/ SUSE CVE CVE-2020-6822 page https://www.suse.com/security/cve/CVE-2020-6825/ SUSE CVE CVE-2020-6825 page https://www.suse.com/security/cve/CVE-2020-6831/ SUSE CVE CVE-2020-6831 page https://www.suse.com/security/cve/CVE-2021-23953/ SUSE CVE CVE-2021-23953 page https://www.suse.com/security/cve/CVE-2021-23954/ SUSE CVE CVE-2021-23954 page https://www.suse.com/security/cve/CVE-2021-23960/ SUSE CVE CVE-2021-23960 page https://www.suse.com/security/cve/CVE-2021-23961/ SUSE CVE CVE-2021-23961 page https://www.suse.com/security/cve/CVE-2021-23964/ SUSE CVE CVE-2021-23964 page https://www.suse.com/security/cve/CVE-2021-23968/ SUSE CVE CVE-2021-23968 page https://www.suse.com/security/cve/CVE-2021-23969/ SUSE CVE CVE-2021-23969 page https://www.suse.com/security/cve/CVE-2021-23973/ SUSE CVE CVE-2021-23973 page https://www.suse.com/security/cve/CVE-2021-23978/ SUSE CVE CVE-2021-23978 page https://www.suse.com/security/cve/CVE-2021-23981/ SUSE CVE CVE-2021-23981 page https://www.suse.com/security/cve/CVE-2021-23982/ SUSE CVE CVE-2021-23982 page https://www.suse.com/security/cve/CVE-2021-23984/ SUSE CVE CVE-2021-23984 page https://www.suse.com/security/cve/CVE-2021-23987/ SUSE CVE CVE-2021-23987 page https://www.suse.com/security/cve/CVE-2021-23991/ SUSE CVE CVE-2021-23991 page https://www.suse.com/security/cve/CVE-2021-23993/ SUSE CVE CVE-2021-23993 page https://www.suse.com/security/cve/CVE-2021-23994/ SUSE CVE CVE-2021-23994 page https://www.suse.com/security/cve/CVE-2021-23995/ SUSE CVE CVE-2021-23995 page https://www.suse.com/security/cve/CVE-2021-23998/ SUSE CVE CVE-2021-23998 page https://www.suse.com/security/cve/CVE-2021-23999/ SUSE CVE CVE-2021-23999 page https://www.suse.com/security/cve/CVE-2021-24002/ SUSE CVE CVE-2021-24002 page https://www.suse.com/security/cve/CVE-2021-29945/ SUSE CVE CVE-2021-29945 page https://www.suse.com/security/cve/CVE-2021-29946/ SUSE CVE CVE-2021-29946 page https://www.suse.com/security/cve/CVE-2021-29948/ SUSE CVE CVE-2021-29948 page https://www.suse.com/security/cve/CVE-2021-29956/ SUSE CVE CVE-2021-29956 page https://www.suse.com/security/cve/CVE-2021-29957/ SUSE CVE CVE-2021-29957 page https://www.suse.com/security/cve/CVE-2021-29964/ SUSE CVE CVE-2021-29964 page https://www.suse.com/security/cve/CVE-2021-29967/ SUSE CVE CVE-2021-29967 page https://www.suse.com/security/cve/CVE-2021-29969/ SUSE CVE CVE-2021-29969 page https://www.suse.com/security/cve/CVE-2021-29970/ SUSE CVE CVE-2021-29970 page https://www.suse.com/security/cve/CVE-2021-29976/ SUSE CVE CVE-2021-29976 page https://www.suse.com/security/cve/CVE-2021-29980/ SUSE CVE CVE-2021-29980 page https://www.suse.com/security/cve/CVE-2021-29984/ SUSE CVE CVE-2021-29984 page https://www.suse.com/security/cve/CVE-2021-29985/ SUSE CVE CVE-2021-29985 page https://www.suse.com/security/cve/CVE-2021-29986/ SUSE CVE CVE-2021-29986 page https://www.suse.com/security/cve/CVE-2021-29988/ SUSE CVE CVE-2021-29988 page https://www.suse.com/security/cve/CVE-2021-29989/ SUSE CVE CVE-2021-29989 page https://www.suse.com/security/cve/CVE-2021-29991/ SUSE CVE CVE-2021-29991 page https://www.suse.com/security/cve/CVE-2021-30547/ SUSE CVE CVE-2021-30547 page https://www.suse.com/security/cve/CVE-2021-38492/ SUSE CVE CVE-2021-38492 page https://www.suse.com/security/cve/CVE-2021-38495/ SUSE CVE CVE-2021-38495 page openSUSE Tumbleweed MozillaThunderbird-91.1.1-1.1 MozillaThunderbird-translations-common-91.1.1-1.1 MozillaThunderbird-translations-other-91.1.1-1.1 MozillaThunderbird-91.1.1-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-common-91.1.1-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-other-91.1.1-1.1 as a component of openSUSE Tumbleweed Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. CVE-2007-3089 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3089.html CVE-2007-3089 https://bugzilla.suse.com/288115 SUSE Bug 288115 Mozilla Firefox before 2.0.0.5, when run on Windows, allows remote attackers to bypass file type checks and possibly execute programs via a (1) file:/// or (2) resource: URI with a dangerous extension, followed by a NULL byte (%00) and a safer extension, which causes Firefox to treat the requested file differently than Windows would. CVE-2007-3285 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3285.html CVE-2007-3285 https://bugzilla.suse.com/288115 SUSE Bug 288115 Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. CVE-2007-3656 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3656.html CVE-2007-3656 https://bugzilla.suse.com/288115 SUSE Bug 288115 Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data." CVE-2007-3670 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3670.html CVE-2007-3670 https://bugzilla.suse.com/288115 SUSE Bug 288115 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption. CVE-2007-3734 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3734.html CVE-2007-3734 https://bugzilla.suse.com/288115 SUSE Bug 288115 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption. CVE-2007-3735 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3735.html CVE-2007-3735 https://bugzilla.suse.com/288115 SUSE Bug 288115 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. CVE-2007-3736 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3736.html CVE-2007-3736 https://bugzilla.suse.com/288115 SUSE Bug 288115 Mozilla Firefox before 2.0.0.5 allows remote attackers to execute arbitrary code with chrome privileges by calling an event handler from an unspecified "element outside of a document." CVE-2007-3737 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3737.html CVE-2007-3737 https://bugzilla.suse.com/288115 SUSE Bug 288115 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. CVE-2007-3738 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3738.html CVE-2007-3738 https://bugzilla.suse.com/288115 SUSE Bug 288115 Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link. CVE-2008-0016 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-0016.html CVE-2008-0016 https://bugzilla.suse.com/429179 SUSE Bug 429179 Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution." CVE-2008-1233 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1233.html CVE-2008-1233 https://bugzilla.suse.com/370353 SUSE Bug 370353 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine. CVE-2008-1236 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1236.html CVE-2008-1236 https://bugzilla.suse.com/370353 SUSE Bug 370353 The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors. CVE-2008-3835 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3835.html CVE-2008-3835 https://bugzilla.suse.com/429179 SUSE Bug 429179 The XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to (1) chrome XBL and (2) chrome JS. CVE-2008-4058 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4058.html CVE-2008-4058 https://bugzilla.suse.com/429179 SUSE Bug 429179 Integer overflow in the MathML component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via an mtd element with a large integer value in the rowspan attribute, related to the layout engine. CVE-2008-4061 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4061.html CVE-2008-4061 https://bugzilla.suse.com/429179 SUSE Bug 429179 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to graphics rendering and (1) handling of a long alert messagebox in the cairo_surface_set_device_offset function, (2) integer overflows when handling animated PNG data in the info_callback function in nsPNGDecoder.cpp, and (3) an integer overflow when handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide function in nsSVGFilters.cpp. CVE-2008-4064 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4064.html CVE-2008-4064 https://bugzilla.suse.com/429179 SUSE Bug 429179 Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug." CVE-2008-4065 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4065.html CVE-2008-4065 https://bugzilla.suse.com/429179 SUSE Bug 429179 Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 on Linux allows remote attackers to read arbitrary files via a .. (dot dot) and URL-encoded / (slash) characters in a resource: URI. CVE-2008-4067 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4067.html CVE-2008-4067 https://bugzilla.suse.com/429179 SUSE Bug 429179 Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long header in a news article, related to "canceling [a] newsgroup message" and "cancelled newsgroup messages." CVE-2008-4070 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4070.html CVE-2008-4070 https://bugzilla.suse.com/429179 SUSE Bug 429179 Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon. CVE-2008-5012 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5012.html CVE-2008-5012 https://bugzilla.suse.com/439841 SUSE Bug 439841 jslock.cpp in Mozilla Firefox 3.x before 3.0.2, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying the window.__proto__.__proto__ object in a way that causes a lock on a non-native object, which triggers an assertion failure related to the OBJ_IS_NATIVE function. CVE-2008-5014 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5014.html CVE-2008-5014 https://bugzilla.suse.com/439841 SUSE Bug 439841 The layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via multiple vectors that trigger an assertion failure or other consequences. CVE-2008-5016 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5016.html CVE-2008-5016 https://bugzilla.suse.com/439841 SUSE Bug 439841 nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by modifying properties of a file input element while it is still being initialized, then using the blur method to access uninitialized memory. CVE-2008-5021 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5021.html CVE-2008-5021 https://bugzilla.suse.com/439841 SUSE Bug 439841 The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check. CVE-2008-5022 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5022.html CVE-2008-5022 https://bugzilla.suse.com/439841 SUSE Bug 439841 Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document. CVE-2008-5024 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5024.html CVE-2008-5024 https://bugzilla.suse.com/439841 SUSE Bug 439841 The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reachable assertion or (2) an integer overflow. CVE-2008-5500 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5500.html CVE-2008-5500 https://bugzilla.suse.com/455804 SUSE Bug 455804 The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings. CVE-2008-5503 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5503.html CVE-2008-5503 https://bugzilla.suse.com/455804 SUSE Bug 455804 Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure." CVE-2008-5506 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5506.html CVE-2008-5506 https://bugzilla.suse.com/455804 SUSE Bug 455804 Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API. CVE-2008-5507 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5507.html CVE-2008-5507 https://bugzilla.suse.com/455804 SUSE Bug 455804 Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not properly parse URLs with leading whitespace or control characters, which might allow remote attackers to misrepresent URLs and simplify phishing attacks. CVE-2008-5508 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5508.html CVE-2008-5508 https://bugzilla.suse.com/455804 SUSE Bug 455804 The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines. CVE-2008-5510 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5510.html CVE-2008-5510 https://bugzilla.suse.com/455804 SUSE Bug 455804 Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." CVE-2008-5511 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5511.html CVE-2008-5511 https://bugzilla.suse.com/455804 SUSE Bug 455804 libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file. CVE-2016-5824 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5824.html CVE-2016-5824 https://bugzilla.suse.com/1015964 SUSE Bug 1015964 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986631 SUSE Bug 986631 https://bugzilla.suse.com/986639 SUSE Bug 986639 https://bugzilla.suse.com/986642 SUSE Bug 986642 https://bugzilla.suse.com/986658 SUSE Bug 986658 Memory safety bugs were reported in Thunderbird 45.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9893 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9893.html CVE-2016-9893 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9895 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9895.html CVE-2016-9895 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9897 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9897.html CVE-2016-9897 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9898 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9898.html CVE-2016-9898 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9899 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9899.html CVE-2016-9899 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9900 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9900.html CVE-2016-9900 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. CVE-2016-9904 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9904.html CVE-2016-9904 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6. CVE-2016-9905 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9905.html CVE-2016-9905 https://bugzilla.suse.com/1015422 SUSE Bug 1015422 https://bugzilla.suse.com/1015527 SUSE Bug 1015527 https://bugzilla.suse.com/1015528 SUSE Bug 1015528 https://bugzilla.suse.com/1015529 SUSE Bug 1015529 https://bugzilla.suse.com/1015530 SUSE Bug 1015530 https://bugzilla.suse.com/1015531 SUSE Bug 1015531 https://bugzilla.suse.com/1015533 SUSE Bug 1015533 https://bugzilla.suse.com/1015534 SUSE Bug 1015534 https://bugzilla.suse.com/1015535 SUSE Bug 1015535 https://bugzilla.suse.com/1015536 SUSE Bug 1015536 https://bugzilla.suse.com/1015537 SUSE Bug 1015537 https://bugzilla.suse.com/1015538 SUSE Bug 1015538 https://bugzilla.suse.com/1015540 SUSE Bug 1015540 https://bugzilla.suse.com/1015541 SUSE Bug 1015541 https://bugzilla.suse.com/1015542 SUSE Bug 1015542 Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected. CVE-2017-16541 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16541.html CVE-2017-16541 https://bugzilla.suse.com/1066489 SUSE Bug 1066489 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5373 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5373.html CVE-2017-5373 https://bugzilla.suse.com/1021824 SUSE Bug 1021824 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5375 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5375.html CVE-2017-5375 https://bugzilla.suse.com/1021814 SUSE Bug 1021814 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 Use-after-free while manipulating XSL in XSLT documents. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5376 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5376.html CVE-2017-5376 https://bugzilla.suse.com/1021817 SUSE Bug 1021817 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5378 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5378.html CVE-2017-5378 https://bugzilla.suse.com/1021818 SUSE Bug 1021818 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5380 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5380.html CVE-2017-5380 https://bugzilla.suse.com/1021819 SUSE Bug 1021819 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5383 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5383.html CVE-2017-5383 https://bugzilla.suse.com/1021822 SUSE Bug 1021822 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5390 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5390.html CVE-2017-5390 https://bugzilla.suse.com/1021820 SUSE Bug 1021820 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5396 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5396.html CVE-2017-5396 https://bugzilla.suse.com/1021821 SUSE Bug 1021821 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 Memory safety bugs were reported in Thunderbird 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5398 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5398.html CVE-2017-5398 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Memory safety bugs were reported in Firefox 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5399 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5399.html CVE-2017-5399 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5400 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5400.html CVE-2017-5400 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A crash triggerable by web content in which an "ErrorResult" references unassigned memory due to a logic error. The resulting crash may be exploitable. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5401 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5401.html CVE-2017-5401 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A use-after-free can occur when events are fired for a "FontFace" object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5402 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5402.html CVE-2017-5402 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 When adding a range to an object in the DOM, it is possible to use "addRange" to add the range to an incorrect root object. This triggers a use-after-free, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5403 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5403.html CVE-2017-5403 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5404 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5404.html CVE-2017-5404 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5405 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5405.html CVE-2017-5405 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5406 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5406.html CVE-2017-5406 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5407 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5407.html CVE-2017-5407 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5408 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5408.html CVE-2017-5408 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. CVE-2017-5410 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5410.html CVE-2017-5410 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5412 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5412.html CVE-2017-5412 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A segmentation fault can occur during some bidirectional layout operations. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5413 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5413.html CVE-2017-5413 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5414 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5414.html CVE-2017-5414 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5416 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5416.html CVE-2017-5416 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set patterns. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5418 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5418.html CVE-2017-5418 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 If a malicious site repeatedly triggers a modal authentication prompt, eventually the browser UI will become non-responsive, requiring shutdown through the operating system. This is a denial of service (DOS) attack. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5419 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5419.html CVE-2017-5419 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5421 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5421.html CVE-2017-5421 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 If a malicious site uses the "view-source:" protocol in a series within a single hyperlink, it can trigger a non-exploitable browser crash when the hyperlink is selected. This was fixed by no longer making "view-source:" linkable. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5422 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5422.html CVE-2017-5422 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 On Linux, if the secure computing mode BPF (seccomp-bpf) filter is running when the Gecko Media Plugin sandbox is started, the sandbox fails to be applied and items that would run within the sandbox are run protected only by the running filter which is typically weak compared to the sandbox. Note: this issue only affects Linux. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52. CVE-2017-5426 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5426.html CVE-2017-5426 https://bugzilla.suse.com/1028391 SUSE Bug 1028391 https://bugzilla.suse.com/1028393 SUSE Bug 1028393 Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5429 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5429.html CVE-2017-5429 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5430 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5430.html CVE-2017-5430 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5432 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5432.html CVE-2017-5432 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5433 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5433.html CVE-2017-5433 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5434 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5434.html CVE-2017-5434 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5435 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5435.html CVE-2017-5435 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5436 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5436.html CVE-2017-5436 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035204 SUSE Bug 1035204 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10195, CVE-2016-10196, CVE-2016-10197. Reason: This candidate is a duplicate of CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. Notes: All CVE users should reference CVE-2016-10195, CVE-2016-10196, and/or CVE-2016-10197 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2017-5437 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5437.html CVE-2017-5437 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5438 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5438.html CVE-2017-5438 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5439 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5439.html CVE-2017-5439 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5440 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5440.html CVE-2017-5440 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5441 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5441.html CVE-2017-5441 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5442 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5442.html CVE-2017-5442 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5443 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5443.html CVE-2017-5443 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A buffer overflow vulnerability while parsing "application/http-index-format" format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5444 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5444.html CVE-2017-5444 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A vulnerability while parsing "application/http-index-format" format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5445 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5445.html CVE-2017-5445 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5446 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5446.html CVE-2017-5446 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5447 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5447.html CVE-2017-5447 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5449 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5449.html CVE-2017-5449 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5451 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5451.html CVE-2017-5451 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5454 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5454.html CVE-2017-5454 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5459 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5459.html CVE-2017-5459 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5460 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5460.html CVE-2017-5460 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. CVE-2017-5461 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5461.html CVE-2017-5461 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5462 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5462.html CVE-2017-5462 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5464 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:H/Au:M/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5464.html CVE-2017-5464 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 An out-of-bounds read while processing SVG content in "ConvolvePixel". This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5465 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5465.html CVE-2017-5465 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5466 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5466.html CVE-2017-5466 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5467 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5467.html CVE-2017-5467 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5469 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5469.html CVE-2017-5469 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-5470 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5470.html CVE-2017-5470 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-5472 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5472.html CVE-2017-5472 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7749 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7749.html CVE-2017-7749 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability during video control operations when a "<track>" element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7750 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7750.html CVE-2017-7750 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7751 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7751.html CVE-2017-7751 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7752 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7752.html CVE-2017-7752 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7753 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.8 AV:N/AC:M/Au:N/C:P/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7753.html CVE-2017-7753 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7754 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7754.html CVE-2017-7754 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR). This could result in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7756 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7756.html CVE-2017-7756 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7757 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7757.html CVE-2017-7757 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7758 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7758.html CVE-2017-7758 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7763 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7763.html CVE-2017-7763 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7764 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 4 AV:N/AC:H/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7764.html CVE-2017-7764 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7765 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7765.html CVE-2017-7765 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Heap-based Buffer Overflow write in Graphite2 library in Firefox before 54 in lz4::decompress src/Decompressor. CVE-2017-7773 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7773.html CVE-2017-7773 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Use of uninitialized memory in Graphite2 library in Firefox before 54 in graphite2::GlyphCache::Loader::read_glyph function. CVE-2017-7777 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7777.html CVE-2017-7777 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. CVE-2017-7778 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7778.html CVE-2017-7778 https://bugzilla.suse.com/1043960 SUSE Bug 1043960 https://bugzilla.suse.com/1044239 SUSE Bug 1044239 https://bugzilla.suse.com/1044240 SUSE Bug 1044240 https://bugzilla.suse.com/1044241 SUSE Bug 1044241 https://bugzilla.suse.com/1044242 SUSE Bug 1044242 Memory safety bugs were reported in Firefox 54, Firefox ESR 52.2, and Thunderbird 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7779 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7779.html CVE-2017-7779 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7782 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7782.html CVE-2017-7782 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7784 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7784.html CVE-2017-7784 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7785 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7785.html CVE-2017-7785 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7786 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7786.html CVE-2017-7786 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7787 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7787.html CVE-2017-7787 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7791 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7791.html CVE-2017-7791 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7792 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7792.html CVE-2017-7792 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7793 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7793.html CVE-2017-7793 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR < 52.3 and Firefox < 55. CVE-2017-7798 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7798.html CVE-2017-7798 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7800 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7800.html CVE-2017-7800 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur while re-computing layout for a "marquee" element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7801 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7801.html CVE-2017-7801 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7802 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7802.html CVE-2017-7802 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7803 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7803.html CVE-2017-7803 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7804 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7804.html CVE-2017-7804 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7805 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7805.html CVE-2017-7805 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 https://bugzilla.suse.com/1061005 SUSE Bug 1061005 A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. CVE-2017-7807 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7807.html CVE-2017-7807 https://bugzilla.suse.com/1052829 SUSE Bug 1052829 Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7810 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7810.html CVE-2017-7810 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7814 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7814.html CVE-2017-7814 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7818 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7818.html CVE-2017-7818 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7819 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7819.html CVE-2017-7819 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7823 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7823.html CVE-2017-7823 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7824 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7824.html CVE-2017-7824 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. CVE-2017-7825 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7825.html CVE-2017-7825 https://bugzilla.suse.com/1060445 SUSE Bug 1060445 Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7826 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7826.html CVE-2017-7826 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7828 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7828.html CVE-2017-7828 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7829 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7829.html CVE-2017-7829 https://bugzilla.suse.com/1071236 SUSE Bug 1071236 https://bugzilla.suse.com/1074046 SUSE Bug 1074046 The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7830 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7830.html CVE-2017-7830 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Thunderbird < 52.5.2, Firefox ESR < 52.5.2, and Firefox < 57.0.2. CVE-2017-7845 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7845.html CVE-2017-7845 It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7846 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7846.html CVE-2017-7846 https://bugzilla.suse.com/1074043 SUSE Bug 1074043 Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7847 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7847.html CVE-2017-7847 https://bugzilla.suse.com/1074044 SUSE Bug 1074044 RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2. CVE-2017-7848 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7848.html CVE-2017-7848 https://bugzilla.suse.com/1074045 SUSE Bug 1074045 A buffer overflow can occur when rendering canvas content while adjusting the height and width of the canvas element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12359 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12359.html CVE-2018-12359 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12360 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12360.html CVE-2018-12360 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61. CVE-2018-12361 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12361.html CVE-2018-12361 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12362 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12362.html CVE-2018-12362 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12363 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12363.html CVE-2018-12363 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12364 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12364.html CVE-2018-12364 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12365 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12365.html CVE-2018-12365 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-12366 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12366.html CVE-2018-12366 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61. CVE-2018-12367 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12367.html CVE-2018-12367 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.1, Thunderbird < 60, and Firefox < 61. CVE-2018-12371 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12371.html CVE-2018-12371 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 52.9. CVE-2018-12372 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12372.html CVE-2018-12372 https://bugzilla.suse.com/1100082 SUSE Bug 1100082 dDecrypted S/MIME parts hidden with CSS or the plaintext HTML tag can leak plaintext when included in a HTML reply/forward. This vulnerability affects Thunderbird < 52.9. CVE-2018-12373 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12373.html CVE-2018-12373 https://bugzilla.suse.com/1100079 SUSE Bug 1100079 Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. This vulnerability affects Thunderbird < 52.9. CVE-2018-12374 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12374.html CVE-2018-12374 https://bugzilla.suse.com/1100081 SUSE Bug 1100081 Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12376 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12376.html CVE-2018-12376 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12377 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12377.html CVE-2018-12377 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12378 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12378.html CVE-2018-12378 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1. CVE-2018-12383 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12383.html CVE-2018-12383 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. This vulnerability affects Thunderbird < 60.2.1, Firefox ESR < 60.2.1, and Firefox < 62.0.2. CVE-2018-12385 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12385.html CVE-2018-12385 https://bugzilla.suse.com/1109363 SUSE Bug 1109363 Mozilla developers and community members reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.3 and Thunderbird < 60.3. CVE-2018-12389 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12389.html CVE-2018-12389 https://bugzilla.suse.com/1112852 SUSE Bug 1112852 Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. CVE-2018-12390 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12390.html CVE-2018-12390 https://bugzilla.suse.com/1112852 SUSE Bug 1112852 During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. CVE-2018-12391 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12391.html CVE-2018-12391 https://bugzilla.suse.com/1112852 SUSE Bug 1112852 When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. CVE-2018-12392 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12392.html CVE-2018-12392 https://bugzilla.suse.com/1112852 SUSE Bug 1112852 A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3. CVE-2018-12393 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12393.html CVE-2018-12393 https://bugzilla.suse.com/1112852 SUSE Bug 1112852 Mozilla developers and community members reported memory safety bugs present in Firefox 63 and Firefox ESR 60.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-12405 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12405.html CVE-2018-12405 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Incorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-17466 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17466.html CVE-2018-17466 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18335 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18335.html CVE-2018-18335 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18356 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18356.html CVE-2018-18356 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396 A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18492 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18492.html CVE-2018-18492 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A buffer overflow can occur in the Skia library during buffer offset calculations with hardware accelerated canvas 2D actions due to the use of 32-bit calculations instead of 64-bit. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18493 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18493.html CVE-2018-18493 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18494 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18494.html CVE-2018-18494 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A potential vulnerability leading to an integer overflow can occur during buffer size calculations for images when a raw value is used instead of the checked value. This leads to a possible out-of-bounds write. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18498 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18498.html CVE-2018-18498 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18500 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18500.html CVE-2018-18500 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 Mozilla developers and community members reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18501 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18501.html CVE-2018-18501 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels. This could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18505 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18505.html CVE-2018-18505 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1. CVE-2018-18509 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18509.html CVE-2018-18509 Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. *Note: This only affects Firefox 65. Previous versions are unaffected.*. This vulnerability affects Firefox < 65.0.1. CVE-2018-18511 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18511.html CVE-2018-18511 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 Memory safety bugs were reported in Firefox 57 and Firefox ESR 52.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5089 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5089.html CVE-2018-5089 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5095 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5095.html CVE-2018-5095 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur while editing events in form elements on a page, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.6 and Thunderbird < 52.6. CVE-2018-5096 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5096.html CVE-2018-5096 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5097 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5097.html CVE-2018-5097 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5098 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5098.html CVE-2018-5098 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references are used. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5099 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5099.html CVE-2018-5099 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5102 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5102.html CVE-2018-5102 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5103 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5103.html CVE-2018-5103 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5104 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5104.html CVE-2018-5104 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. CVE-2018-5117 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5117.html CVE-2018-5117 https://bugzilla.suse.com/1077291 SUSE Bug 1077291 Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. CVE-2018-5125 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5125.html CVE-2018-5125 https://bugzilla.suse.com/1085130 SUSE Bug 1085130 A buffer overflow can occur when manipulating the SVG "animatedPathSegList" through script. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. CVE-2018-5127 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5127.html CVE-2018-5127 https://bugzilla.suse.com/1085130 SUSE Bug 1085130 A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. CVE-2018-5129 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5129.html CVE-2018-5129 https://bugzilla.suse.com/1085130 SUSE Bug 1085130 An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7. CVE-2018-5144 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5144.html CVE-2018-5144 https://bugzilla.suse.com/1085130 SUSE Bug 1085130 Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7. CVE-2018-5145 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5145.html CVE-2018-5145 https://bugzilla.suse.com/1085130 SUSE Bug 1085130 An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. CVE-2018-5146 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5146.html CVE-2018-5146 https://bugzilla.suse.com/1085671 SUSE Bug 1085671 https://bugzilla.suse.com/1085687 SUSE Bug 1085687 https://bugzilla.suse.com/1180395 SUSE Bug 1180395 Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5150 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5150.html CVE-2018-5150 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5154 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5154.html CVE-2018-5154 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5155 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5155.html CVE-2018-5155 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-5156 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5156.html CVE-2018-5156 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5159 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5159.html CVE-2018-5159 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. CVE-2018-5161 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5161.html CVE-2018-5161 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. CVE-2018-5162 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5162.html CVE-2018-5162 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5168 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5168.html CVE-2018-5168 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. CVE-2018-5170 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5170.html CVE-2018-5170 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. CVE-2018-5174 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5174.html CVE-2018-5174 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8. CVE-2018-5178 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5178.html CVE-2018-5178 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8. CVE-2018-5183 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5183.html CVE-2018-5183 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. CVE-2018-5184 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5184.html CVE-2018-5184 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093152 SUSE Bug 1093152 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. CVE-2018-5185 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5185.html CVE-2018-5185 https://bugzilla.suse.com/1092548 SUSE Bug 1092548 https://bugzilla.suse.com/1092611 SUSE Bug 1092611 https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 https://bugzilla.suse.com/1093970 SUSE Bug 1093970 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093972 SUSE Bug 1093972 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 Memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61. CVE-2018-5187 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5187.html CVE-2018-5187 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 Memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. CVE-2018-5188 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5188.html CVE-2018-5188 https://bugzilla.suse.com/1098998 SUSE Bug 1098998 A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-11691 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11691.html CVE-2019-11691 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A use-after-free vulnerability can occur when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-11692 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11692.html CVE-2019-11692 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 The bufferdata function in WebGL is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. *Note: this issue only occurs on Linux. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-11693 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11693.html CVE-2019-11693 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-11694 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11694.html CVE-2019-11694 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-11698 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11698.html CVE-2019-11698 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11703 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11703.html CVE-2019-11703 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11704 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11704.html CVE-2019-11704 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11705 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11705.html CVE-2019-11705 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1. CVE-2019-11706 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11706.html CVE-2019-11706 https://bugzilla.suse.com/1137595 SUSE Bug 1137595 A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. CVE-2019-11707 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11707.html CVE-2019-11707 https://bugzilla.suse.com/1138614 SUSE Bug 1138614 Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. CVE-2019-11708 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11708.html CVE-2019-11708 https://bugzilla.suse.com/1138872 SUSE Bug 1138872 Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11709 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11709.html CVE-2019-11709 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11711 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11711.html CVE-2019-11711 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11712 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11712.html CVE-2019-11712 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11713 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11713.html CVE-2019-11713 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11715 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11715.html CVE-2019-11715 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11717 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11717.html CVE-2019-11717 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11719 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11719.html CVE-2019-11719 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11729 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11729.html CVE-2019-11729 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-11730 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11730.html CVE-2019-11730 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. CVE-2019-11739 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11739.html CVE-2019-11739 https://bugzilla.suse.com/1150939 SUSE Bug 1150939 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11740 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11740.html CVE-2019-11740 https://bugzilla.suse.com/1149299 SUSE Bug 1149299 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a &lt;canvas&gt; element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11742 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11742.html CVE-2019-11742 https://bugzilla.suse.com/1149303 SUSE Bug 1149303 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11743 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11743.html CVE-2019-11743 https://bugzilla.suse.com/1149298 SUSE Bug 1149298 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 Some HTML elements, such as &lt;title&gt; and &lt;textarea&gt;, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11744 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11744.html CVE-2019-11744 https://bugzilla.suse.com/1149304 SUSE Bug 1149304 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11746 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11746.html CVE-2019-11746 https://bugzilla.suse.com/1149297 SUSE Bug 1149297 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. CVE-2019-11752 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11752.html CVE-2019-11752 https://bugzilla.suse.com/1149296 SUSE Bug 1149296 https://bugzilla.suse.com/1149323 SUSE Bug 1149323 https://bugzilla.suse.com/1149324 SUSE Bug 1149324 https://bugzilla.suse.com/1150940 SUSE Bug 1150940 A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. This vulnerability affects Thunderbird < 68.1.1. CVE-2019-11755 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11755.html CVE-2019-11755 https://bugzilla.suse.com/1152375 SUSE Bug 1152375 When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11757 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11757.html CVE-2019-11757 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11758 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11758.html CVE-2019-11758 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11759 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11759.html CVE-2019-11759 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11760 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11760.html CVE-2019-11760 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11761 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11761.html CVE-2019-11761 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11762 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11762.html CVE-2019-11762 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11763 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11763.html CVE-2019-11763 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. CVE-2019-11764 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11764.html CVE-2019-11764 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 Inappropriate implementation in WebRTC in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2019-13722 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13722.html CVE-2019-13722 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. CVE-2019-15903 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15903.html CVE-2019-15903 https://bugzilla.suse.com/1149429 SUSE Bug 1149429 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 https://bugzilla.suse.com/1154806 SUSE Bug 1154806 The plain text serializer used a fixed-size array for the number of <ol> elements it could process; however it was possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-17005 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17005.html CVE-2019-17005 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-17008 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17008.html CVE-2019-17008 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-17010 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17010.html CVE-2019-17010 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-17011 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17011.html CVE-2019-17011 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. CVE-2019-17012 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17012.html CVE-2019-17012 https://bugzilla.suse.com/1158328 SUSE Bug 1158328 During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17015 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17015.html CVE-2019-17015 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17016 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17016.html CVE-2019-17016 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17017 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17017.html CVE-2019-17017 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17021 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17021.html CVE-2019-17021 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer does not escape &lt; and &gt; characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17022 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17022.html CVE-2019-17022 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. CVE-2019-17024 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17024.html CVE-2019-17024 https://bugzilla.suse.com/1160305 SUSE Bug 1160305 Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. CVE-2019-17026 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17026.html CVE-2019-17026 https://bugzilla.suse.com/1160498 SUSE Bug 1160498 usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. CVE-2019-20503 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20503.html CVE-2019-20503 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 https://bugzilla.suse.com/1167090 SUSE Bug 1167090 Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2019-5785 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5785.html CVE-2019-5785 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396 Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2019-5798 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5798.html CVE-2019-5798 https://bugzilla.suse.com/1129059 SUSE Bug 1129059 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. CVE-2019-7317 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-7317.html CVE-2019-7317 https://bugzilla.suse.com/1124211 SUSE Bug 1124211 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 https://bugzilla.suse.com/1141780 SUSE Bug 1141780 https://bugzilla.suse.com/1147021 SUSE Bug 1147021 https://bugzilla.suse.com/1165297 SUSE Bug 1165297 Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. CVE-2019-9797 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9797.html CVE-2019-9797 https://bugzilla.suse.com/1129821 SUSE Bug 1129821 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9800 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9800.html CVE-2019-9800 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. CVE-2019-9810 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9810.html CVE-2019-9810 https://bugzilla.suse.com/1129821 SUSE Bug 1129821 https://bugzilla.suse.com/1130262 SUSE Bug 1130262 As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. CVE-2019-9811 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9811.html CVE-2019-9811 https://bugzilla.suse.com/1140868 SUSE Bug 1140868 Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. CVE-2019-9813 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9813.html CVE-2019-9813 https://bugzilla.suse.com/1129821 SUSE Bug 1129821 https://bugzilla.suse.com/1130262 SUSE Bug 1130262 If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9815 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9815.html CVE-2019-9815 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9816 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9816.html CVE-2019-9816 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9817 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9817.html CVE-2019-9817 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9818 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9818.html CVE-2019-9818 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9819 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9819.html CVE-2019-9819 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. CVE-2019-9820 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9820.html CVE-2019-9820 https://bugzilla.suse.com/1135824 SUSE Bug 1135824 A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12387 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12387.html CVE-2020-12387 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12392 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12392.html CVE-2020-12392 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12393 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12393.html CVE-2020-12393 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12395 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12395.html CVE-2020-12395 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. CVE-2020-12397 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12397.html CVE-2020-12397 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0. CVE-2020-12398 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12398.html CVE-2020-12398 https://bugzilla.suse.com/1172402 SUSE Bug 1172402 When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. CVE-2020-12405 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12405.html CVE-2020-12405 https://bugzilla.suse.com/1172402 SUSE Bug 1172402 Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. CVE-2020-12406 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12406.html CVE-2020-12406 https://bugzilla.suse.com/1172402 SUSE Bug 1172402 Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. CVE-2020-12410 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12410.html CVE-2020-12410 https://bugzilla.suse.com/1172402 SUSE Bug 1172402 Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12417 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12417.html CVE-2020-12417 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12418 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12418.html CVE-2020-12418 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12419 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12419.html CVE-2020-12419 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12420 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12420.html CVE-2020-12420 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12421 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12421.html CVE-2020-12421 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. CVE-2020-15652 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15652.html CVE-2020-15652 https://bugzilla.suse.com/1174538 SUSE Bug 1174538 Mozilla developers and community members reported memory safety bugs present in Firefox 78 and Firefox ESR 78.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. CVE-2020-15659 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15659.html CVE-2020-15659 https://bugzilla.suse.com/1174538 SUSE Bug 1174538 If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2. CVE-2020-15663 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15663.html CVE-2020-15663 https://bugzilla.suse.com/1175686 SUSE Bug 1175686 By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80. CVE-2020-15664 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15664.html CVE-2020-15664 https://bugzilla.suse.com/1175686 SUSE Bug 1175686 When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12. CVE-2020-15669 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15669.html CVE-2020-15669 https://bugzilla.suse.com/1175686 SUSE Bug 1175686 Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. CVE-2020-15673 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15673.html CVE-2020-15673 https://bugzilla.suse.com/1176756 SUSE Bug 1176756 https://bugzilla.suse.com/1176899 SUSE Bug 1176899 Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. CVE-2020-15676 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15676.html CVE-2020-15676 https://bugzilla.suse.com/1176756 SUSE Bug 1176756 https://bugzilla.suse.com/1176899 SUSE Bug 1176899 By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. CVE-2020-15677 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15677.html CVE-2020-15677 https://bugzilla.suse.com/1176756 SUSE Bug 1176756 https://bugzilla.suse.com/1176899 SUSE Bug 1176899 When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. CVE-2020-15678 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15678.html CVE-2020-15678 https://bugzilla.suse.com/1176756 SUSE Bug 1176756 https://bugzilla.suse.com/1176899 SUSE Bug 1176899 Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4. CVE-2020-15683 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15683.html CVE-2020-15683 https://bugzilla.suse.com/1177872 SUSE Bug 1177872 https://bugzilla.suse.com/1177977 SUSE Bug 1177977 During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. This vulnerability affects Thunderbird < 78.7. CVE-2020-15685 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15685.html CVE-2020-15685 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15969 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15969.html CVE-2020-15969 https://bugzilla.suse.com/1177408 SUSE Bug 1177408 https://bugzilla.suse.com/1177872 SUSE Bug 1177872 https://bugzilla.suse.com/1177977 SUSE Bug 1177977 Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15999.html CVE-2020-15999 https://bugzilla.suse.com/1177914 SUSE Bug 1177914 https://bugzilla.suse.com/1177936 SUSE Bug 1177936 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2020-16012 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16012.html CVE-2020-16012 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 https://bugzilla.suse.com/1178923 SUSE Bug 1178923 Uninitialized Use in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVE-2020-16042 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16042.html CVE-2020-16042 https://bugzilla.suse.com/1179576 SUSE Bug 1179576 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet. CVE-2020-16044 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16044.html CVE-2020-16044 https://bugzilla.suse.com/1180623 SUSE Bug 1180623 https://bugzilla.suse.com/1181137 SUSE Bug 1181137 In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2. CVE-2020-26950 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26950.html CVE-2020-26950 https://bugzilla.suse.com/1177872 SUSE Bug 1177872 https://bugzilla.suse.com/1178588 SUSE Bug 1178588 https://bugzilla.suse.com/1178611 SUSE Bug 1178611 A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26951 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26951.html CVE-2020-26951 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26953 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26953.html CVE-2020-26953 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26956 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26956.html CVE-2020-26956 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26958 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26958.html CVE-2020-26958 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26959 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26959.html CVE-2020-26959 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26960 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26960.html CVE-2020-26960 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26961 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26961.html CVE-2020-26961 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26965 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26965.html CVE-2020-26965 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26966 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26966.html CVE-2020-26966 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. CVE-2020-26968 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26968.html CVE-2020-26968 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable. This vulnerability affects Thunderbird < 78.5.1. CVE-2020-26970 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26970.html CVE-2020-26970 https://bugzilla.suse.com/1179530 SUSE Bug 1179530 Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-26971 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26971.html CVE-2020-26971 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-26973 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26973.html CVE-2020-26973 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-26974 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26974.html CVE-2020-26974 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. CVE-2020-26976 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26976.html CVE-2020-26976 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-26978 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26978.html CVE-2020-26978 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-35111 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35111.html CVE-2020-35111 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-35112 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35112.html CVE-2020-35112 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. CVE-2020-35113 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35113.html CVE-2020-35113 https://bugzilla.suse.com/1180039 SUSE Bug 1180039 Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6463 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6463.html CVE-2020-6463 https://bugzilla.suse.com/1171975 SUSE Bug 1171975 https://bugzilla.suse.com/1174538 SUSE Bug 1174538 Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream. CVE-2020-6514 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6514.html CVE-2020-6514 https://bugzilla.suse.com/1174189 SUSE Bug 1174189 https://bugzilla.suse.com/1174538 SUSE Bug 1174538 When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5. CVE-2020-6792 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6792.html CVE-2020-6792 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. This vulnerability affects Thunderbird < 68.5. CVE-2020-6793 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6793.html CVE-2020-6793 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5. CVE-2020-6794 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6794.html CVE-2020-6794 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects Thunderbird < 68.5. CVE-2020-6795 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6795.html CVE-2020-6795 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5. CVE-2020-6797 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6797.html CVE-2020-6797 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5. CVE-2020-6798 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6798.html CVE-2020-6798 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5. CVE-2020-6800 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6800.html CVE-2020-6800 https://bugzilla.suse.com/1163368 SUSE Bug 1163368 When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6805 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6805.html CVE-2020-6805 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6806 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6806.html CVE-2020-6806 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6807 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6807.html CVE-2020-6807 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6811 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6811.html CVE-2020-6811 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6812 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6812.html CVE-2020-6812 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. CVE-2020-6814 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6814.html CVE-2020-6814 https://bugzilla.suse.com/1166238 SUSE Bug 1166238 Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. CVE-2020-6819 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6819.html CVE-2020-6819 https://bugzilla.suse.com/1168630 SUSE Bug 1168630 https://bugzilla.suse.com/1168874 SUSE Bug 1168874 Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. CVE-2020-6820 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6820.html CVE-2020-6820 https://bugzilla.suse.com/1168630 SUSE Bug 1168630 https://bugzilla.suse.com/1168874 SUSE Bug 1168874 When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. CVE-2020-6821 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6821.html CVE-2020-6821 https://bugzilla.suse.com/1168630 SUSE Bug 1168630 https://bugzilla.suse.com/1168874 SUSE Bug 1168874 On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in <code>GMPDecodeData</code>. It is possible that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. CVE-2020-6822 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6822.html CVE-2020-6822 https://bugzilla.suse.com/1168630 SUSE Bug 1168630 https://bugzilla.suse.com/1168874 SUSE Bug 1168874 Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. CVE-2020-6825 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6825.html CVE-2020-6825 https://bugzilla.suse.com/1168630 SUSE Bug 1168630 https://bugzilla.suse.com/1168874 SUSE Bug 1168874 A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-6831 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6831.html CVE-2020-6831 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 https://bugzilla.suse.com/1171247 SUSE Bug 1171247 If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. CVE-2021-23953 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23953.html CVE-2021-23953 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. CVE-2021-23954 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23954.html CVE-2021-23954 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. CVE-2021-23960 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23960.html CVE-2021-23960 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85. CVE-2021-23961 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23961.html CVE-2021-23961 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. CVE-2021-23964 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23964.html CVE-2021-23964 https://bugzilla.suse.com/1181414 SUSE Bug 1181414 If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. CVE-2021-23968 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23968.html CVE-2021-23968 https://bugzilla.suse.com/1182614 SUSE Bug 1182614 As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that's not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. CVE-2021-23969 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23969.html CVE-2021-23969 https://bugzilla.suse.com/1182614 SUSE Bug 1182614 When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. CVE-2021-23973 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23973.html CVE-2021-23973 https://bugzilla.suse.com/1182614 SUSE Bug 1182614 Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. CVE-2021-23978 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23978.html CVE-2021-23978 https://bugzilla.suse.com/1182614 SUSE Bug 1182614 A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. CVE-2021-23981 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23981.html CVE-2021-23981 https://bugzilla.suse.com/1183942 SUSE Bug 1183942 Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. CVE-2021-23982 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23982.html CVE-2021-23982 https://bugzilla.suse.com/1183942 SUSE Bug 1183942 A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. CVE-2021-23984 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23984.html CVE-2021-23984 https://bugzilla.suse.com/1183942 SUSE Bug 1183942 Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. CVE-2021-23987 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23987.html CVE-2021-23987 https://bugzilla.suse.com/1183942 SUSE Bug 1183942 If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1. CVE-2021-23991 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23991.html CVE-2021-23991 https://bugzilla.suse.com/1184536 SUSE Bug 1184536 An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1. CVE-2021-23993 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23993.html CVE-2021-23993 https://bugzilla.suse.com/1184536 SUSE Bug 1184536 A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-23994 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23994.html CVE-2021-23994 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-23995 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23995.html CVE-2021-23995 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-23998 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23998.html CVE-2021-23998 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-23999 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23999.html CVE-2021-23999 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-24002 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-24002.html CVE-2021-24002 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-29945 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29945.html CVE-2021-29945 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. CVE-2021-29946 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29946.html CVE-2021-29946 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user is replacing the file. This vulnerability affects Thunderbird < 78.10. CVE-2021-29948 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29948.html CVE-2021-29948 https://bugzilla.suse.com/1184960 SUSE Bug 1184960 OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2. CVE-2021-29956 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29956.html CVE-2021-29956 https://bugzilla.suse.com/1186199 SUSE Bug 1186199 If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2. CVE-2021-29957 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29957.html CVE-2021-29957 https://bugzilla.suse.com/1186198 SUSE Bug 1186198 A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read. *This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR < 78.11. CVE-2021-29964 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29964.html CVE-2021-29964 https://bugzilla.suse.com/1186696 SUSE Bug 1186696 Mozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR < 78.11. CVE-2021-29967 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29967.html CVE-2021-29967 https://bugzilla.suse.com/1186696 SUSE Bug 1186696 If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12. CVE-2021-29969 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29969.html CVE-2021-29969 A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. CVE-2021-29970 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29970.html CVE-2021-29970 https://bugzilla.suse.com/1188275 SUSE Bug 1188275 Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. CVE-2021-29976 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29976.html CVE-2021-29976 https://bugzilla.suse.com/1188275 SUSE Bug 1188275 Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29980 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29980.html CVE-2021-29980 Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29984 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29984.html CVE-2021-29984 A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29985 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29985.html CVE-2021-29985 A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29986 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29986.html CVE-2021-29986 Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29988 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29988.html CVE-2021-29988 Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29989 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29989.html CVE-2021-29989 Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1. CVE-2021-29991 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-29991.html CVE-2021-29991 https://bugzilla.suse.com/1189547 SUSE Bug 1189547 Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. CVE-2021-30547 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-30547.html CVE-2021-30547 https://bugzilla.suse.com/1187141 SUSE Bug 1187141 https://bugzilla.suse.com/1188275 SUSE Bug 1188275 When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1. CVE-2021-38492 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38492.html CVE-2021-38492 https://bugzilla.suse.com/1190269 SUSE Bug 1190269 Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.1 and Firefox ESR < 91.1. CVE-2021-38495 openSUSE Tumbleweed:MozillaThunderbird-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.1.1-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.1.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38495.html CVE-2021-38495 https://bugzilla.suse.com/1190269 SUSE Bug 1190269