Overview

File _patchinfo of Package patchinfo.7355

<patchinfo incident="7355">
  <issue id="1060445" tracker="bnc">VUL-0: MozillaFirefox 56 / 52.4.0esr security release</issue>
  <issue id="2017-7818" tracker="cve" />
  <issue id="2017-7819" tracker="cve" />
  <issue id="2017-7810" tracker="cve" />
  <issue id="2017-7814" tracker="cve" />
  <issue id="2017-7823" tracker="cve" />
  <issue id="2017-7805" tracker="cve" />
  <issue id="2017-7793" tracker="cve" />
  <issue id="2017-7824" tracker="cve" />
  <issue id="2017-7825" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>wrosenauer</packager>
  <description>

Mozilla Thunderbird was updated to 52.4.0 (boo#1060445)
  * new behavior was introduced for replies to mailing list posts:
    "When replying to a mailing list, reply will be sent to address
    in From header ignoring Reply-to header". A new preference
    mail.override_list_reply_to allows to restore the previous behavior.
  * Under certain circumstances (image attachment and non-image
    attachment), attached images were shown truncated in messages
    stored in IMAP folders not synchronised for offline use.
  * IMAP UIDs &gt; 0x7FFFFFFF now handled properly
  Security fixes from Gecko 52.4esr
  * CVE-2017-7793 (bmo#1371889)
    Use-after-free with Fetch API
  * CVE-2017-7818 (bmo#1363723)
    Use-after-free during ARIA array manipulation
  * CVE-2017-7819 (bmo#1380292)
    Use-after-free while resizing images in design mode
  * CVE-2017-7824 (bmo#1398381)
    Buffer overflow when drawing and validating elements with ANGLE
  * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
    Use-after-free in TLS 1.2 generating handshake hashes
  * CVE-2017-7814 (bmo#1376036)
    Blob and data URLs bypass phishing and malware protection warnings
  * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
    OS X fonts render some Tibetan and Arabic unicode characters as spaces
  * CVE-2017-7823 (bmo#1396320)
    CSP sandbox directive did not create a unique origin
  * CVE-2017-7810
    Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4

- Add alsa-devel BuildRequires: we care for ALSA support to be
  built and thus need to ensure we get the dependencies in place.
  In the past, alsa-devel was pulled in by accident: we
  buildrequire libgnome-devel. This required esound-devel and that
  in turn pulled in alsa-devel for us. libgnome is being fixed to
  no longer require esound-devel.

</description>
  <summary>Security update for MozillaThunderbird</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places