SUSE-SU-2022:3800-1: important: Security update for MozillaThunderbird
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Oct 27 16:23:08 UTC 2022
SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3800-1
Rating: important
References: #1203477 #1204411 #1204421
Cross-References: CVE-2022-3155 CVE-2022-3266 CVE-2022-39236
CVE-2022-39249 CVE-2022-39250 CVE-2022-39251
CVE-2022-40956 CVE-2022-40957 CVE-2022-40958
CVE-2022-40959 CVE-2022-40960 CVE-2022-40962
CVSS scores:
CVE-2022-39236 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-39236 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVE-2022-39249 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2022-39249 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2022-39250 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2022-39250 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2022-39251 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2022-39251 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Linux Enterprise Storage 7.1
SUSE Linux Enterprise Workstation Extension 15-SP3
SUSE Linux Enterprise Workstation Extension 15-SP4
SUSE Manager Proxy 4.2
SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.2
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.2
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes 12 vulnerabilities is now available.
Description:
This update for MozillaThunderbird fixes the following issues:
- Mozilla Thunderbird 102.4.0 (bsc#1204421)
* changed: Thunderbird will automatically detect and repair OpenPGP key
storage corruption caused by using the profile import tool in
Thunderbird 102
* fixed: POP message download into a large folder (~13000 messages)
caused Thunderbird to temporarily freeze
* fixed: Forwarding messages with special characters in Subject failed
on Windows
* fixed: Links for FileLink attachments were not added when attachment
filename contained Unicode characters
* fixed: Address Book display pane continued to show contacts after
deletion
* fixed: Printing address book did not include all contact details
* fixed: CardDAV contacts without a Name property did not save to Google
Contacts
* fixed: "Publish Calendar" did not work
* fixed: Calendar database storage improvements
* fixed: Incorrectly handled error responses from CalDAV servers
sometimes caused events to disappear from calendar
* fixed: Various visual and UX improvements
- Mozilla Thunderbird 102.3.3
* new: Option added to show containing address book for a contact when
using `All Address Books` in vertical mode (bmo#1778871)
* changed: Thunderbird will try to use POP NTLM authentication even if
not advertised by server (bmo#1793349)
* changed: Task List and Today Pane sidebars will no longer load when
not visible (bmo#1788549)
* fixed: Sending a message while a recipient pill was being modified did
not save changes (bmo#1779785)
* fixed: Nickname column was not available in horizontal view
of Address Book (bmo#1778000)
* fixed: Multiline organization values were displayed across two columns
in horizontal view of Address Book (bmo#1777780)
* fixed: Contact vCard fields with multiple values such as Categories
were truncated when saved (bmo#1792399)
* fixed: ICS calendar files with a `FREEBUSY` property could not be
imported (bmo#1783441)
* fixed: Thunderbird would hang if calendar event exceeded the year 2035
(bmo#1789999)
- Mozilla Thunderbird 102.3.2
* changed: Thunderbird will try to use POP CRAM-MD5 authentication even
if not advertised by server (bmo#1789975)
* fixed: Checking messages on POP3 accounts caused POP folder to lock if
mail server was slow or non-responsive (bmo#1792451)
* fixed: Newsgroups named with consecutive dots would not appear when
refreshing list of newsgroups (bmo#1787789)
* fixed: Sending news articles containing lines starting with dot were
sometimes clipped (bmo#1787955)
* fixed: CardDAV server sync silently failed if sync token expired
(bmo#1791183)
* fixed: Contacts from LDAP on macOS address books were not displayed
(bmo#1791347)
* fixed: Chat account input now accepts URIs for supported chat
protocols (bmo#1776706)
* fixed: Chat ScreenName field was not migrated to new address book
(bmo#1789990)
* fixed: Creating a New Event from the Today Pane used the currently
selected day from the main calendar instead of from the Today Pane
(bmo#1791203)
* fixed: `New Event` button in Today Pane was incorrectly disabled
sometimes (bmo#1792058)
* fixed: Event reminder windows did not close after being dismissed or
snoozed (bmo#1791228)
* fixed: Improved performance of recurring event date calculation
(bmo#1787677)
* fixed: Quarterly calendar events on the last day of the month repeated
one month early (bmo#1789362)
* fixed: Thunderbird would hang if calendar event exceeded the year 2035
(bmo#1789999)
* fixed: Whitespace in calendar events was incorrectly handled when
upgrading from Thunderbird 91 to 102 (bmo#1790339)
* fixed: Various visual and UX improvements (bmo#1755623,bmo#17
83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178
9728,bmo#1790499)
- Mozilla Thunderbird 102.3.1
* changed: Compose window encryption options now only appear for
encryption technologies that have already been configured (bmo#1788988)
* changed: Number of contacts in currently selected address book now
displayed at bottom of Address Book list column (bmo#1745571)
* fixed: Password prompt did not include server hostname for POP servers
(bmo#1786920)
* fixed: `Edit Contact` was missing from Contacts sidebar context menus
(bmo#1771795)
* fixed: Address Book contact lists cut off display of some characters,
the result being unreadable (bmo#1780909)
* fixed: Menu items for dark-themed alarm dialog were invisible
on Windows 7 (bmo#1791738)
* fixed: Various security fixes MFSA 2022-43 (bsc#1204411)
* CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird
vulnerable to an impersonation attack by malicious server
administrators
* CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird
vulnerable to a device verification attack
* CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird
vulnerable to an impersonation attack
* CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird
vulnerable to a data corruption issue
- Mozilla Thunderbird 102.3
* changed: Thunderbird will no longer attempt to import account
passwords when importing from another Thunderbird profile in
order to prevent profile corruption and permanent data loss.
(bmo#1790605)
* changed: Devtools performance profile will use Thunderbird presets
instead of Web Developer presets (bmo#1785954)
* fixed: Thunderbird startup performance improvements (bmo#1785967)
* fixed: Saving email source and images failed (bmo#1777323,bmo#1778804)
* fixed: Error message was shown repeatedly when temporary disk space
was full (bmo#1788580)
* fixed: Attaching OpenPGP keys without a set size to non- encrypted
messages briefly displayed a size of zero bytes (bmo#1788952)
* fixed: Global Search entry box initially contained "undefined"
(bmo#1780963)
* fixed: Delete from POP Server mail filter rule intermittently failed
to trigger (bmo#1789418)
* fixed: Connections to POP3 servers without UIDL support failed
(bmo#1789314)
* fixed: Pop accounts with "Fetch headers only" set downloaded complete
messages if server did not advertise TOP capability (bmo#1789356)
* fixed: "File -> New -> Address Book Contact" from Compose window did
not work (bmo#1782418)
* fixed: Attach "My vCard" option in compose window was not available
(bmo#1787614)
* fixed: Improved performance of matching a contact to an email address
(bmo#1782725)
* fixed: Address book only recognized a contact's first two email
addresses (bmo#1777156)
* fixed: Address book search and autocomplete failed if a contact vCard
could not be parsed (bmo#1789793)
* fixed: Downloading NNTP messages for offline use failed (bmo#1785773)
* fixed: NNTP client became stuck when connecting to Public- Inbox
servers (bmo#1786203)
* fixed: Various visual and UX improvements
(bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
* fixed: Various security fixes
* unresolved: No dedicated "Department" field in address book
(bmo#1777780) MFSA 2022-42 (bsc#1203477)
* CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264
* CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on
transient pages
* CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in
threads
* CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for
cookies with __Host and __Secure prefix
* CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when
building WASM on ARM64
* CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS
could be executed without warning
* CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109,
bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-3800=1
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-3800=1
- SUSE Linux Enterprise Workstation Extension 15-SP4:
zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3800=1
- SUSE Linux Enterprise Workstation Extension 15-SP3:
zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3800=1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3800=1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3800=1
Package List:
- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
- SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
- SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x):
MozillaThunderbird-102.4.0-150200.8.85.1
MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
References:
https://www.suse.com/security/cve/CVE-2022-3155.html
https://www.suse.com/security/cve/CVE-2022-3266.html
https://www.suse.com/security/cve/CVE-2022-39236.html
https://www.suse.com/security/cve/CVE-2022-39249.html
https://www.suse.com/security/cve/CVE-2022-39250.html
https://www.suse.com/security/cve/CVE-2022-39251.html
https://www.suse.com/security/cve/CVE-2022-40956.html
https://www.suse.com/security/cve/CVE-2022-40957.html
https://www.suse.com/security/cve/CVE-2022-40958.html
https://www.suse.com/security/cve/CVE-2022-40959.html
https://www.suse.com/security/cve/CVE-2022-40960.html
https://www.suse.com/security/cve/CVE-2022-40962.html
https://bugzilla.suse.com/1203477
https://bugzilla.suse.com/1204411
https://bugzilla.suse.com/1204421
More information about the sle-security-updates
mailing list