Thunderbird v52.5.2 released to fix Critical, High, Moderate security issues with prior versions of the Mozilla email client.
CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9 = A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected.
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin = It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”.
CVE-2017-7847: Local path string can be leaked from RSS feed = Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.
CVE-2017-7848: RSS Feed vulnerable to new line Injection = RSS fields can inject new lines into the created email structure, modifying the message body.
ky331
3 Apprentice
•
15.6K Posts
0
December 28th, 2017 11:00
FF ESR has been updated to 52.5.3
https://www.mozilla.org/en-US/firefox/52.5.3/releasenotes/
RoHe
10 Elder
•
45.2K Posts
0
December 28th, 2017 12:00
Thunderbird v52.5.2 released to fix Critical, High, Moderate security issues with prior versions of the Mozilla email client.
CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9 = A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.
Note: This attack only affects Windows operating systems. Other operating systems are unaffected.
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin = It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”.
CVE-2017-7847: Local path string can be leaked from RSS feed = Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.
CVE-2017-7848: RSS Feed vulnerable to new line Injection = RSS fields can inject new lines into the created email structure, modifying the message body.