MGASA-2017-0477

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0477.html

Import Source

https://advisories.mageia.org/MGASA-2017-0477.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2017-0477

Related

Published

2017-12-31T00:10:15Z

Modified

2017-12-30T23:43:13Z

Summary

Updated thunderbird packages fix security vulnerabilities

Details

Multiple vulnerabilies have been fixed in thunderbird. * JavaScript Execution via RSS in mailbox:// origin (CVE-2017-7846). * Local path string can be leaked from RSS feed (CVE-2017-7847). * RSS Feed vulnerable to new line Injection (CVE-2017-7848). * Mailsploit From address with encoded null character is cut off in message header display (CVE-2017-7829).

Multiple vulnerabilies have been fixed in the bundled enigmail package. * An issue was discovered that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list (CVE-2017-17843). * A remote attacker can obtain cleartext content by sending an encrypted data block to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text (CVE-2017-17844). * An issue was discovered where Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp) (CVE-2017-17845). * An issue was discovered where regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings (CVE-2017-17846). * An issue was discovered that signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message (CVE-2017-17847). * In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed (CVE-2017-17848)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / thunderbird

Package

Name: thunderbird
Purl: pkg:rpm/mageia/thunderbird?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

52.5.2-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / thunderbird-l10n

Package

Name: thunderbird-l10n
Purl: pkg:rpm/mageia/thunderbird-l10n?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

52.5.2-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / thunderbird

Package

Name: thunderbird
Purl: pkg:rpm/mageia/thunderbird?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

52.5.2-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / thunderbird-l10n

Package

Name: thunderbird-l10n
Purl: pkg:rpm/mageia/thunderbird-l10n?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

52.5.2-1.mga5

Ecosystem specific

{
    "section": "core"
}