【CESA-2016:2973】 最新バージョンのthunderbirdが、Red Hat Enterprise Linux 5 / 6 / 7からご利用いただけるようになりました。

CESA-2016:2973
最新バージョンのthunderbirdが、Red Hat Enterprise Linux 5 / 6 / 7からご利用いただけるようになりました。 Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。 今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 45.6.0.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2016-9893, CVE-2016-9899, CVE-2016-9895, CVE-2016-9900,
CVE-2016-9901, CVE-2016-9902, CVE-2016-9905)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Wladimir Palant, Philipp, Andrew Krasichkov, insertscript,
Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel,
Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky as the original
reporters.

Bugs fixed (see bugzilla for more information)

1404083 – CVE-2016-9899 Mozilla: Use-after-free while manipulating DOM events and audio elements (MFSA 2016-94, MFSA 2016-95)
1404086 – CVE-2016-9895 Mozilla: CSP bypass using marquee tag (MFSA 2016-94, MFSA 2016-95)
1404090 – CVE-2016-9900 Mozilla: Restricted external resources can be loaded by SVG images through data URLs (MFSA 2016-94, MFSA 2016-95)
1404094 – CVE-2016-9905 Mozilla: Crash in EnumerateSubDocuments (MFSA 2016-94, MFSA 2016-95)
1404096 – CVE-2016-9893 Mozilla: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 (MFSA 2016-95)
1404358 – CVE-2016-9901 Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)
1404359 – CVE-2016-9902 Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95)