{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20172838", "Version": "oval:org.altlinux.errata:def:20172838", "Class": "patch", "Metadata": { "Title": "ALT-PU-2017-2838: package `thunderbird` update to version 52.5.2-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p10" ], "Products": [ "ALT Server", "ALT Virtualization Server", "ALT Workstation", "ALT Workstation K", "ALT Education", "Simply Linux", "Starterkit" ] } ], "References": [ { "RefID": "ALT-PU-2017-2838", "RefURL": "https://errata.altlinux.org/ALT-PU-2017-2838", "Source": "ALTPU" }, { "RefID": "CVE-2017-7829", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7829", "Source": "CVE" }, { "RefID": "CVE-2017-7846", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7846", "Source": "CVE" }, { "RefID": "CVE-2017-7847", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7847", "Source": "CVE" }, { "RefID": "CVE-2017-7848", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7848", "Source": "CVE" } ], "Description": "This update upgrades thunderbird to version 52.5.2-alt1. \nSecurity Fix(es):\n\n * CVE-2017-7829: It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird \u003c 52.5.2.\n\n * CVE-2017-7846: It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via \"View -\u003e Feed article -\u003e Website\" or in the standard format of \"View -\u003e Feed article -\u003e default format\". This vulnerability affects Thunderbird \u003c 52.5.2.\n\n * CVE-2017-7847: Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird \u003c 52.5.2.\n\n * CVE-2017-7848: RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird \u003c 52.5.2.", "Advisory": { "From": "errata.altlinux.org", "Severity": "High", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2017-12-26" }, "Updated": { "Date": "2017-12-26" }, "BDUs": null, "CVEs": [ { "ID": "CVE-2017-7829", "CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "CWE": "CWE-20", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7829", "Impact": "Low", "Public": "20180611" }, { "ID": "CVE-2017-7846", "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "CWE": "CWE-74", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7846", "Impact": "High", "Public": "20180611" }, { "ID": "CVE-2017-7847", "CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "CWE": "CWE-200", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7847", "Impact": "Low", "Public": "20180611" }, { "ID": "CVE-2017-7848", "CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "CWE": "CWE-74", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7848", "Impact": "Low", "Public": "20180611" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:kworkstation:10", "cpe:/o:alt:workstation:10", "cpe:/o:alt:server:10", "cpe:/o:alt:server-v:10", "cpe:/o:alt:education:10", "cpe:/o:alt:slinux:10", "cpe:/o:alt:starterkit:p10", "cpe:/o:alt:kworkstation:10.1", "cpe:/o:alt:workstation:10.1", "cpe:/o:alt:server:10.1", "cpe:/o:alt:server-v:10.1", "cpe:/o:alt:education:10.1", "cpe:/o:alt:slinux:10.1", "cpe:/o:alt:starterkit:10.1", "cpe:/o:alt:kworkstation:10.2", "cpe:/o:alt:workstation:10.2", "cpe:/o:alt:server:10.2", "cpe:/o:alt:server-v:10.2", "cpe:/o:alt:education:10.2", "cpe:/o:alt:slinux:10.2", "cpe:/o:alt:starterkit:10.2" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:2001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20172838001", "Comment": "rpm-build-thunderbird is earlier than 0:52.5.2-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20172838002", "Comment": "thunderbird is earlier than 0:52.5.2-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20172838003", "Comment": "thunderbird-devel is earlier than 0:52.5.2-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20172838004", "Comment": "thunderbird-enigmail is earlier than 0:52.5.2-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20172838005", "Comment": "thunderbird-google-calendar is earlier than 0:52.5.2-alt1" } ] } ] } } ] }