firefox and thunderbird are vulnerable to arbitrary code execution attacks. The vulnerability exists as multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
lists.opensuse.org/opensuse-security-announce/2015-11/msg00013.html
lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html
lists.opensuse.org/opensuse-security-announce/2015-11/msg00020.html
lists.opensuse.org/opensuse-security-announce/2015-11/msg00021.html
lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
lists.opensuse.org/opensuse-updates/2015-12/msg00037.html
lists.opensuse.org/opensuse-updates/2015-12/msg00049.html
rhn.redhat.com/errata/RHSA-2015-1982.html
rhn.redhat.com/errata/RHSA-2015-2519.html
www.debian.org/security/2015/dsa-3393
www.debian.org/security/2015/dsa-3410
www.mozilla.org/security/announce/2015/mfsa2015-116.html
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
www.securityfocus.com/bid/77411
www.securitytracker.com/id/1034069
www.ubuntu.com/usn/USN-2785-1
www.ubuntu.com/usn/USN-2819-1
access.redhat.com/security/cve/CVE-2015-7199
access.redhat.com/security/cve/CVE-2015-7200
access.redhat.com/security/updates/classification/#critical
bugzilla.mozilla.org/show_bug.cgi?id=1107011
bugzilla.mozilla.org/show_bug.cgi?id=1191942
bugzilla.mozilla.org/show_bug.cgi?id=1193038
bugzilla.mozilla.org/show_bug.cgi?id=1204580
bugzilla.mozilla.org/show_bug.cgi?id=1204669
bugzilla.mozilla.org/show_bug.cgi?id=1204700
bugzilla.mozilla.org/show_bug.cgi?id=1205707
bugzilla.mozilla.org/show_bug.cgi?id=1206564
bugzilla.mozilla.org/show_bug.cgi?id=1208665
bugzilla.mozilla.org/show_bug.cgi?id=1209471
bugzilla.mozilla.org/show_bug.cgi?id=1213979
rhn.redhat.com/errata/RHSA-2015-1982.html
security.gentoo.org/glsa/201512-10
www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.4