SUSE-SU-2020:3528-1: important: Security update for MozillaThunderbird

Thu Nov 26 07:15:20 MST 2020

   SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3528-1
Rating:             important
References:         #1178894 
Cross-References:   CVE-2020-15999 CVE-2020-16012 CVE-2020-26951
                    CVE-2020-26953 CVE-2020-26956 CVE-2020-26958
                    CVE-2020-26959 CVE-2020-26960 CVE-2020-26961
                    CVE-2020-26965 CVE-2020-26966 CVE-2020-26968

Affected Products:
                    SUSE Linux Enterprise Workstation Extension 15-SP2
                    SUSE Linux Enterprise Workstation Extension 15-SP1
______________________________________________________________________________

   An update that fixes 12 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird fixes the following issues:

       TODO
   - Mozilla Thunderbird 78.5.0
     * new: OpenPGP: Added option to disable attaching the public key to a
       signed message (bmo#1654950)
     * new: MailExtensions: "compose_attachments" context added to Menus API
       (bmo#1670822)
     * new: MailExtensions: Menus API now available on displayed messages
       (bmo#1670825)
     * changed: MailExtensions: browser.tabs.create will now wait for
       "mail-delayed-startup-finished" event (bmo#1674407)
     * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851)
     * fixed: OpenPGP: Message security dialog showed unverified keys as
       unavailable (bmo#1675285)
     * fixed: Chat: New chat contact menu item did not function (bmo#1663321)
     * fixed: Various theme and usability improvements (bmo#1673861)
     * fixed: Various security fixes MFSA 2020-52 (bsc#1178894)
     * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and
       bypass security sanitizer for chrome privileged code
     * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin
       images during drawImage calls
     * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without
       displaying the security UI
     * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard
       API)
     * CVE-2020-26958 (bmo#1669355) Requests intercepted through
       ServiceWorkers lacked MIME type restrictions
     * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
     * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of
       nsTArray
     * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
     * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP
       Addresses
     * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered
       typed passwords
     * CVE-2020-26966 (bmo#1663571) Single-word search queries were also
       broadcast to local network
     * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739,
       bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs
       fixed in Thunderbird 78.5

   - Mozilla Thunderbird 78.4.3
     * fixed: User interface was inconsistent when switching from the default
       theme to the dark theme and back to the default theme (bmo#1659282)
     * fixed: Email subject would disappear when hovering over it with the
       mouse when using Windows 7 Classic theme (bmo#1675970)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 15-SP2:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3528=1

   - SUSE Linux Enterprise Workstation Extension 15-SP1:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3528=1

Package List:

   - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64):

      MozillaThunderbird-78.5.0-3.107.1
      MozillaThunderbird-debuginfo-78.5.0-3.107.1
      MozillaThunderbird-debugsource-78.5.0-3.107.1
      MozillaThunderbird-translations-common-78.5.0-3.107.1
      MozillaThunderbird-translations-other-78.5.0-3.107.1

   - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64):

      MozillaThunderbird-78.5.0-3.107.1
      MozillaThunderbird-debuginfo-78.5.0-3.107.1
      MozillaThunderbird-debugsource-78.5.0-3.107.1
      MozillaThunderbird-translations-common-78.5.0-3.107.1
      MozillaThunderbird-translations-other-78.5.0-3.107.1

References:

   https://www.suse.com/security/cve/CVE-2020-15999.html
   https://www.suse.com/security/cve/CVE-2020-16012.html
   https://www.suse.com/security/cve/CVE-2020-26951.html
   https://www.suse.com/security/cve/CVE-2020-26953.html
   https://www.suse.com/security/cve/CVE-2020-26956.html
   https://www.suse.com/security/cve/CVE-2020-26958.html
   https://www.suse.com/security/cve/CVE-2020-26959.html
   https://www.suse.com/security/cve/CVE-2020-26960.html
   https://www.suse.com/security/cve/CVE-2020-26961.html
   https://www.suse.com/security/cve/CVE-2020-26965.html
   https://www.suse.com/security/cve/CVE-2020-26966.html
   https://www.suse.com/security/cve/CVE-2020-26968.html
   https://bugzilla.suse.com/1178894