SUSE-SU-2022:4085-1: important: Security update for MozillaThunderbird
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Nov 18 20:26:16 UTC 2022
SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:4085-1
Rating: important
References: #1204421 #1205270
Cross-References: CVE-2022-42927 CVE-2022-42928 CVE-2022-42929
CVE-2022-42932 CVE-2022-45403 CVE-2022-45404
CVE-2022-45405 CVE-2022-45406 CVE-2022-45408
CVE-2022-45409 CVE-2022-45410 CVE-2022-45411
CVE-2022-45412 CVE-2022-45416 CVE-2022-45418
CVE-2022-45420 CVE-2022-45421
CVSS scores:
CVE-2022-42927 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-42928 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-42929 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42932 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Linux Enterprise Workstation Extension 15-SP3
SUSE Linux Enterprise Workstation Extension 15-SP4
SUSE Manager Proxy 4.2
SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.2
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.2
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes 17 vulnerabilities is now available.
Description:
This update for MozillaThunderbird fixes the following issues:
- Fixed various security issues (MFSA 2022-49, bsc#1205270):
* CVE-2022-45403 (bmo#1762078) Service Workers might have learned size
of cross-origin media files
* CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream
implementation
* CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via
windowName
* CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests
bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via
non-standard override headers
* CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially
uninitialized buffers
* CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn
over browser UI
* CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside
the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety
bugs fixed in Thunderbird 102.5
- Fixed various security issues: (MFSA 2022-46, bsc#1204421):
* CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have
leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety
bugs fixed in Thunderbird 102.4
- Mozilla Thunderbird 102.5
* changed: `Ctrl+N` shortcut to create new contacts from address book
restored (bmo#1751288)
* fixed: Account Settings UI did not update to reflect default identity
changes (bmo#1782646)
* fixed: New POP mail notifications were incorrectly shown for messages
marked by filters as read or junk (bmo#1787531)
* fixed: Connecting to an IMAP server configured to use `PREAUTH` caused
Thunderbird to hang (bmo#1798161)
* fixed: Error responses received in greeting header from NNTP servers
did not display error message (bmo#1792281)
* fixed: News messages sent using "Send Later" failed to send after
going back online (bmo#1794997)
* fixed: "Download/Sync Now..." did not completely sync all newsgroups
before going offline (bmo#1795547)
* fixed: Username was missing from error dialog on failed login to news
server (bmo#1796964)
* fixed: Thunderbird can now fetch RSS channel feeds with incomplete
channel URL (bmo#1794775)
* fixed: Add-on "Contribute" button in Add-ons Manager did not work
(bmo#1795751)
* fixed: Help text for `/part` Matrix command was incorrect (bmo#1795578)
* fixed: Invite Attendees dialog did not fetch free/busy info for
attendees with encoded characters in their name (bmo#1797927)
- Mozilla Thunderbird 102.4.2
* changed: "Address Book" button in Account Central will now create a
CardDAV address book instead of a local address book (bmo#1793903)
* fixed: Messages fetched from POP server in `Fetch headers
only` mode disappeared when moved to different folder by filter action
(bmo#1793374)
* fixed: Thunderbird re-downloaded locally deleted messages from a POP
server when "Leave messages on server" and "Until I delete them" were
enabled (bmo#1796903)
* fixed: Multiple password prompts for the same POP account could be
displayed (bmo#1786920)
* fixed: IMAP authentication failed on next startup if ImapMail folder
was deleted by user (bmo#1793599)
* fixed: Retrieving passwords for authenticated NNTP accounts could fail
due to obsolete preferences in a users profile on every startup
(bmo#1770594)
* fixed: `Get Next n Messages` did not consistently fetch all messages
requested from NNTP server (bmo#1794185)
* fixed: `Get Messages` button unable to fetch messages from NNTP server
if root folder not selected (bmo#1792362)
* fixed: Thunderbird text branding did not always match locale
of localized build (bmo#1786199)
* fixed: Thunderbird installer and Thunderbird updater created Windows
shortcuts with different names (bmo#1787264)
* fixed: LDAP search filters unable to work with non-ASCII characters
(bmo#1794306)
* fixed: "Today" highlighting in Calendar Month view did not update
after date change at midnight (bmo#1795176)
- Mozilla Thunderbird 102.4.1
* new: Thunderbird will now catch and report errors parsing vCards that
contain incorrectly formatted dates (bmo#1793415)
* fixed: Dynamic language switching did not update interface when
switched to right-to-left languages (bmo#1794289)
* fixed: Custom header data was discarded after messages were saved as
draft and reopened (bmo#195716)
* fixed: `-remote` command line argument did not work, affecting
integration with various applications such as LibreOffice (bmo#1793323)
* fixed: Messages received via some SMS-to-email services could not
display images (bmo#1774805)
* fixed: VCards with nickname field set could not be edited (bmo#1793877)
* fixed: Some recurring events were missing from Agenda on first load
(bmo#1771168)
* fixed: Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml (bmo#1793757)
* fixed: Monthly events created on the 31st of a month with <30 days
placed first occurrence 1-2 days after the beginning of the following
month (bmo#1266797)
* fixed: Various visual and UX improvements
(bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)
* changed: Thunderbird will automatically detect and repair OpenPGP key
storage corruption caused by using the profile import tool in
Thunderbird 102 (bmo#1790610)
* fixed: POP message download into a large folder (~13000 messages)
caused Thunderbird to temporarily freeze (bmo#1792675)
* fixed: Forwarding messages with special characters in Subject failed
on Windows (bmo#1782173)
* fixed: Links for FileLink attachments were not added when attachment
filename contained Unicode characters (bmo#1789589)
* fixed: Address Book display pane continued to show contacts after
deletion (bmo#1777808)
* fixed: Printing address book did not include all contact details
(bmo#1782076)
* fixed: CardDAV contacts without a Name property did not save to Google
Contacts (bmo#1792101)
* fixed: "Publish Calendar" did not work (bmo#1794471)
* fixed: Calendar database storage improvements (bmo#1792124)
* fixed: Incorrectly handled error responses from CalDAV servers
sometimes caused events to disappear from calendar (bmo#1792923)
* fixed: Various visual and UX improvements (bmo#1776093,bmo#17
80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-4085=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-4085=1
- SUSE Linux Enterprise Workstation Extension 15-SP4:
zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-4085=1
- SUSE Linux Enterprise Workstation Extension 15-SP3:
zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-4085=1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4085=1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-4085=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
- SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
- SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x):
MozillaThunderbird-102.5.0-150200.8.90.1
MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
References:
https://www.suse.com/security/cve/CVE-2022-42927.html
https://www.suse.com/security/cve/CVE-2022-42928.html
https://www.suse.com/security/cve/CVE-2022-42929.html
https://www.suse.com/security/cve/CVE-2022-42932.html
https://www.suse.com/security/cve/CVE-2022-45403.html
https://www.suse.com/security/cve/CVE-2022-45404.html
https://www.suse.com/security/cve/CVE-2022-45405.html
https://www.suse.com/security/cve/CVE-2022-45406.html
https://www.suse.com/security/cve/CVE-2022-45408.html
https://www.suse.com/security/cve/CVE-2022-45409.html
https://www.suse.com/security/cve/CVE-2022-45410.html
https://www.suse.com/security/cve/CVE-2022-45411.html
https://www.suse.com/security/cve/CVE-2022-45412.html
https://www.suse.com/security/cve/CVE-2022-45416.html
https://www.suse.com/security/cve/CVE-2022-45418.html
https://www.suse.com/security/cve/CVE-2022-45420.html
https://www.suse.com/security/cve/CVE-2022-45421.html
https://bugzilla.suse.com/1204421
https://bugzilla.suse.com/1205270
More information about the sle-security-updates
mailing list