SUSE-SU-2022:4085-1: important: Security update for MozillaThunderbird

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Nov 18 20:26:09 UTC 2022


   SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:4085-1
Rating:             important
References:         #1204421 #1205270 
Cross-References:   CVE-2022-42927 CVE-2022-42928 CVE-2022-42929
                    CVE-2022-42932 CVE-2022-45403 CVE-2022-45404
                    CVE-2022-45405 CVE-2022-45406 CVE-2022-45408
                    CVE-2022-45409 CVE-2022-45410 CVE-2022-45411
                    CVE-2022-45412 CVE-2022-45416 CVE-2022-45418
                    CVE-2022-45420 CVE-2022-45421
CVSS scores:
                    CVE-2022-42927 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-42928 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-42929 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2022-42932 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
                    SUSE Enterprise Storage 7.1
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
                    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Linux Enterprise Workstation Extension 15-SP3
                    SUSE Linux Enterprise Workstation Extension 15-SP4
                    SUSE Manager Proxy 4.2
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.2
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.2
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes 17 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird fixes the following issues:

   - Fixed various security issues (MFSA 2022-49, bsc#1205270):
     * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size
       of cross-origin media files
     * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
     * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream
       implementation
     * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
     * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via
       windowName
     * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
     * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests
       bypassed SameSite cookie policy
     * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via
       non-standard override headers
     * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially
       uninitialized buffers
     * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
     * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn
       over browser UI
     * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside
       the iframe
     * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety
       bugs fixed in Thunderbird 102.5

   - Fixed various security issues: (MFSA 2022-46, bsc#1204421):
     * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have
       leaked cross-origin URLs
     * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
     * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
     * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety
       bugs fixed in Thunderbird 102.4

   - Mozilla Thunderbird 102.5
     * changed: `Ctrl+N` shortcut to create new contacts from address book
       restored (bmo#1751288)
     * fixed: Account Settings UI did not update to reflect default identity
       changes (bmo#1782646)
     * fixed: New POP mail notifications were incorrectly shown for messages
       marked by filters as read or junk (bmo#1787531)
     * fixed: Connecting to an IMAP server configured to use `PREAUTH` caused
       Thunderbird to hang (bmo#1798161)
     * fixed: Error responses received in greeting header from NNTP servers
       did not display error message (bmo#1792281)
     * fixed: News messages sent using "Send Later" failed to send after
       going back online (bmo#1794997)
     * fixed: "Download/Sync Now..." did not completely sync all newsgroups
       before going offline (bmo#1795547)
     * fixed: Username was missing from error dialog on failed login to news
       server (bmo#1796964)
     * fixed: Thunderbird can now fetch RSS channel feeds with incomplete
       channel URL (bmo#1794775)
     * fixed: Add-on "Contribute" button in Add-ons Manager did not work
       (bmo#1795751)
     * fixed: Help text for `/part` Matrix command was incorrect (bmo#1795578)
     * fixed: Invite Attendees dialog did not fetch free/busy info for
       attendees with encoded characters in their name (bmo#1797927)

   - Mozilla Thunderbird 102.4.2
     * changed: "Address Book" button in Account Central will now create a
       CardDAV address book instead of a local address book (bmo#1793903)
     * fixed: Messages fetched from POP server in `Fetch headers
       only` mode disappeared when moved to different folder by filter action
        (bmo#1793374)
     * fixed: Thunderbird re-downloaded locally deleted messages from a POP
       server when "Leave messages on server" and "Until I delete them" were
       enabled (bmo#1796903)
     * fixed: Multiple password prompts for the same POP account could be
       displayed (bmo#1786920)
     * fixed: IMAP authentication failed on next startup if ImapMail folder
       was deleted by user (bmo#1793599)
     * fixed: Retrieving passwords for authenticated NNTP accounts could fail
       due to obsolete preferences in a users profile on every startup
       (bmo#1770594)
     * fixed: `Get Next n Messages` did not consistently fetch all messages
       requested from NNTP server (bmo#1794185)
     * fixed: `Get Messages` button unable to fetch messages from NNTP server
       if root folder not selected (bmo#1792362)
     * fixed: Thunderbird text branding did not always match locale
       of localized build (bmo#1786199)
     * fixed: Thunderbird installer and Thunderbird updater created Windows
       shortcuts with different names (bmo#1787264)
     * fixed: LDAP search filters unable to work with non-ASCII characters
       (bmo#1794306)
     * fixed: "Today" highlighting in Calendar Month view did not update
       after date change at midnight (bmo#1795176)

   - Mozilla Thunderbird 102.4.1
     * new: Thunderbird will now catch and report errors parsing vCards that
       contain incorrectly formatted dates (bmo#1793415)
     * fixed: Dynamic language switching did not update interface when
       switched to right-to-left languages (bmo#1794289)
     * fixed: Custom header data was discarded after messages were saved as
       draft and reopened (bmo#195716)
     * fixed: `-remote` command line argument did not work, affecting
       integration with various applications such as LibreOffice (bmo#1793323)
     * fixed: Messages received via some SMS-to-email services could not
       display images (bmo#1774805)
     * fixed: VCards with nickname field set could not be edited (bmo#1793877)
     * fixed: Some recurring events were missing from Agenda on first load
       (bmo#1771168)
     * fixed: Download requests for remote ICS calendars incorrectly set
       "Accept" header to text/xml (bmo#1793757)
     * fixed: Monthly events created on the 31st of a month with <30 days
       placed first occurrence 1-2 days after the beginning of the following
       month (bmo#1266797)
     * fixed: Various visual and UX improvements
       (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)

     * changed: Thunderbird will automatically detect and repair OpenPGP key
       storage corruption caused by using the profile import tool in
       Thunderbird 102 (bmo#1790610)
     * fixed: POP message download into a large folder (~13000 messages)
       caused Thunderbird to temporarily freeze (bmo#1792675)
     * fixed: Forwarding messages with special characters in Subject failed
       on Windows (bmo#1782173)
     * fixed: Links for FileLink attachments were not added when attachment
       filename contained Unicode characters (bmo#1789589)
     * fixed: Address Book display pane continued to show contacts after
       deletion (bmo#1777808)
     * fixed: Printing address book did not include all contact details
       (bmo#1782076)
     * fixed: CardDAV contacts without a Name property did not save to Google
       Contacts (bmo#1792101)
     * fixed: "Publish Calendar" did not work (bmo#1794471)
     * fixed: Calendar database storage improvements (bmo#1792124)
     * fixed: Incorrectly handled error responses from CalDAV servers
       sometimes caused events to disappear from calendar (bmo#1792923)
     * fixed: Various visual and UX improvements (bmo#1776093,bmo#17
       80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-4085=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-4085=1

   - SUSE Linux Enterprise Workstation Extension 15-SP4:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-4085=1

   - SUSE Linux Enterprise Workstation Extension 15-SP3:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-4085=1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4085=1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-4085=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1

   - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1

   - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x):

      MozillaThunderbird-102.5.0-150200.8.90.1
      MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
      MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
      MozillaThunderbird-translations-other-102.5.0-150200.8.90.1


References:

   https://www.suse.com/security/cve/CVE-2022-42927.html
   https://www.suse.com/security/cve/CVE-2022-42928.html
   https://www.suse.com/security/cve/CVE-2022-42929.html
   https://www.suse.com/security/cve/CVE-2022-42932.html
   https://www.suse.com/security/cve/CVE-2022-45403.html
   https://www.suse.com/security/cve/CVE-2022-45404.html
   https://www.suse.com/security/cve/CVE-2022-45405.html
   https://www.suse.com/security/cve/CVE-2022-45406.html
   https://www.suse.com/security/cve/CVE-2022-45408.html
   https://www.suse.com/security/cve/CVE-2022-45409.html
   https://www.suse.com/security/cve/CVE-2022-45410.html
   https://www.suse.com/security/cve/CVE-2022-45411.html
   https://www.suse.com/security/cve/CVE-2022-45412.html
   https://www.suse.com/security/cve/CVE-2022-45416.html
   https://www.suse.com/security/cve/CVE-2022-45418.html
   https://www.suse.com/security/cve/CVE-2022-45420.html
   https://www.suse.com/security/cve/CVE-2022-45421.html
   https://bugzilla.suse.com/1204421
   https://bugzilla.suse.com/1205270



More information about the sle-updates mailing list