Vulnerabilities > CVE-2017-7847 - Information Exposure vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1419.NASL description This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities : - CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin (bsc#1074043) - CVE-2017-7847: Local path string can be leaked from RSS feed (bsc#1074044) - CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045) - CVE-2017-7829: From address with encoded null character is cut off in message header display (bsc#1074046) last seen 2020-06-05 modified 2017-12-26 plugin id 105457 published 2017-12-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105457 title openSUSE Security Update : Mozilla Thunderbird (openSUSE-2017-1419) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-1419. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(105457); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-7829", "CVE-2017-7846", "CVE-2017-7847", "CVE-2017-7848"); script_name(english:"openSUSE Security Update : Mozilla Thunderbird (openSUSE-2017-1419)"); script_summary(english:"Check for the openSUSE-2017-1419 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities : - CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin (bsc#1074043) - CVE-2017-7847: Local path string can be leaked from RSS feed (bsc#1074044) - CVE-2017-7848: RSS Feed vulnerable to new line Injection (bsc#1074045) - CVE-2017-7829: From address with encoded null character is cut off in message header display (bsc#1074046)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074043" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074044" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074045" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074046" ); script_set_attribute( attribute:"solution", value:"Update the affected Mozilla Thunderbird packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-buildsymbols-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debuginfo-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debugsource-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-devel-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-common-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-other-52.5.2-41.24.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-buildsymbols-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-debuginfo-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-debugsource-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-devel-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-translations-common-52.5.2-53.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-translations-other-52.5.2-53.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaThunderbird / MozillaThunderbird-buildsymbols / etc"); }NASL family Windows NASL id MOZILLA_THUNDERBIRD_52_5_2.NASL description The version of Mozilla Thunderbird installed on the remote Windows host is prior to 52.5.2 It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 105507 published 2018-01-02 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105507 title Mozilla Thunderbird < 52.5.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105507); script_version("1.4"); script_cvs_date("Date: 2018/07/17 12:00:07"); script_cve_id( "CVE-2017-7845", "CVE-2017-7846", "CVE-2017-7847", "CVE-2017-7848", "CVE-2017-7829" ); script_bugtraq_id(101832); script_name(english:"Mozilla Thunderbird < 52.5.2 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Thunderbird."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a mail client that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Mozilla Thunderbird installed on the remote Windows host is prior to 52.5.2 It is, therefore, affected by multiple vulnerabilities."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/"); script_set_attribute(attribute:"solution", value: "Upgrade to Mozilla Thunderbird version 52.5.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/22"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Thunderbird/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Thunderbird/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Thunderbird"); mozilla_check_version(installs:installs, product:'thunderbird', fix:'52.5.2', severity:SECURITY_HOLE);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4075.NASL description Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender last seen 2020-06-01 modified 2020-06-02 plugin id 105497 published 2018-01-02 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105497 title Debian DSA-4075-1 : thunderbird - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0061.NASL description An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters. last seen 2020-05-31 modified 2018-01-08 plugin id 105646 published 2018-01-08 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105646 title RHEL 6 / 7 : thunderbird (RHSA-2018:0061) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3529-1.NASL description It was discovered that a From address encoded with a null character is cut off in the message header display. An attacker could potentially exploit this to spoof the sender address. (CVE-2017-7829) It was discovered that it is possible to execute JavaScript in RSS feeds in some circumstances. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this in combination with another vulnerability, in order to cause unspecified problems. (CVE-2017-7846) It was discovered that the RSS feed can leak local path names. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this to obtain sensitive information. (CVE-2017-7847) It was discovered that RSS feeds are vulnerable to new line injection. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this to cause unspecified problems. (CVE-2017-7848) Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, execute arbitrary code, or cause other unspecified effects. (CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5013, CVE-2018-5104, CVE-2018-5117). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106482 published 2018-01-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106482 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : thunderbird vulnerabilities (USN-3529-1) NASL family Scientific Linux Local Security Checks NASL id SL_20180107_THUNDERBIRD_ON_SL6_X.NASL description This update upgrades Thunderbird to version 52.5.2. Security Fix(es) : - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829) last seen 2020-05-31 modified 2018-01-09 plugin id 105683 published 2018-01-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105683 title Scientific Linux Security Update : thunderbird on SL6.x, SL7.x i386/x86_64 (20180107) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-0061.NASL description An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters. last seen 2020-05-31 modified 2018-01-09 plugin id 105658 published 2018-01-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105658 title CentOS 6 / 7 : thunderbird (CESA-2018:0061) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201803-14.NASL description The remote host is affected by the vulnerability described in GLSA-201803-14 (Mozilla Thunderbird: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the referenced Mozilla Foundation Security Advisories and CVE identifiers below for details. Impact : A remote attacker may be able to execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, conduct URL hijacking, or conduct cross-site scripting (XSS). Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 108820 published 2018-04-04 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108820 title GLSA-201803-14 : Mozilla Thunderbird: Multiple vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-0061.NASL description From Red Hat Security Advisory 2018:0061 : An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters. last seen 2020-05-31 modified 2018-01-09 plugin id 105671 published 2018-01-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105671 title Oracle Linux 6 / 7 : thunderbird (ELSA-2018-0061) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0126_THUNDERBIRD.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has thunderbird packages installed that are affected by multiple vulnerabilities: - It is possible to spoof the sender last seen 2020-06-01 modified 2020-06-02 plugin id 127376 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127376 title NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0126) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1223.NASL description Multiple security issues have been found in the Mozilla Thunderbird mail client including information leaks, unintended JavaScript execution and sender address spoofing. For Debian 7 last seen 2020-03-17 modified 2017-12-28 plugin id 105465 published 2017-12-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105465 title Debian DLA-1223-1 : thunderbird security update NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0009_THUNDERBIRD.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has thunderbird packages installed that are affected by multiple vulnerabilities: - It is possible to spoof the sender last seen 2020-06-01 modified 2020-06-02 plugin id 127156 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127156 title NewStart CGSL MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0009) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6A09C80E6EC7442ABC65D72CE69FD887.NASL description Mozilla Foundation reports : CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9 CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin CVE-2017-7847: Local path string can be leaked from RSS feed CVE-2017-7848: RSS Feed vulnerable to new line Injection CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display last seen 2020-06-01 modified 2020-06-02 plugin id 105450 published 2017-12-26 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105450 title FreeBSD : mozilla -- multiple vulnerabilities (6a09c80e-6ec7-442a-bc65-d72ce69fd887)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://www.securityfocus.com/bid/102258
- http://www.securitytracker.com/id/1040123
- https://access.redhat.com/errata/RHSA-2018:0061
- https://bugzilla.mozilla.org/show_bug.cgi?id=1411708
- https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html
- https://www.debian.org/security/2017/dsa-4075
- https://www.mozilla.org/security/advisories/mfsa2017-30/