SUSE-SU-2022:3800-1: important: Security update for MozillaThunderbird

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Oct 27 16:23:03 UTC 2022


   SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3800-1
Rating:             important
References:         #1203477 #1204411 #1204421 
Cross-References:   CVE-2022-3155 CVE-2022-3266 CVE-2022-39236
                    CVE-2022-39249 CVE-2022-39250 CVE-2022-39251
                    CVE-2022-40956 CVE-2022-40957 CVE-2022-40958
                    CVE-2022-40959 CVE-2022-40960 CVE-2022-40962
                   
CVSS scores:
                    CVE-2022-39236 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2022-39236 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
                    CVE-2022-39249 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-39249 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-39250 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-39250 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-39251 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-39251 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
                    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Linux Enterprise Storage 7.1
                    SUSE Linux Enterprise Workstation Extension 15-SP3
                    SUSE Linux Enterprise Workstation Extension 15-SP4
                    SUSE Manager Proxy 4.2
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.2
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.2
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes 12 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird fixes the following issues:

   - Mozilla Thunderbird 102.4.0 (bsc#1204421)
     * changed: Thunderbird will automatically detect and repair OpenPGP key
       storage corruption caused by using the profile import tool in
       Thunderbird 102
     * fixed: POP message download into a large folder (~13000 messages)
       caused Thunderbird to temporarily freeze
     * fixed: Forwarding messages with special characters in Subject failed
       on Windows
     * fixed: Links for FileLink attachments were not added when attachment
       filename contained Unicode characters
     * fixed: Address Book display pane continued to show contacts after
       deletion
     * fixed: Printing address book did not include all contact details
     * fixed: CardDAV contacts without a Name property did not save to Google
       Contacts
     * fixed: "Publish Calendar" did not work
     * fixed: Calendar database storage improvements
     * fixed: Incorrectly handled error responses from CalDAV servers
       sometimes caused events to disappear from calendar
     * fixed: Various visual and UX improvements
   - Mozilla Thunderbird 102.3.3
     * new: Option added to show containing address book for a contact when
       using `All Address Books` in vertical mode (bmo#1778871)
     * changed: Thunderbird will try to use POP NTLM authentication even if
       not advertised by server (bmo#1793349)
     * changed: Task List and Today Pane sidebars will no longer load when
       not visible (bmo#1788549)
     * fixed: Sending a message while a recipient pill was being modified did
       not save changes (bmo#1779785)
     * fixed: Nickname column was not available in horizontal view
       of Address Book (bmo#1778000)
     * fixed: Multiline organization values were displayed across two columns
       in horizontal view of Address Book (bmo#1777780)
     * fixed: Contact vCard fields with multiple values such as Categories
       were truncated when saved (bmo#1792399)
     * fixed: ICS calendar files with a `FREEBUSY` property could not be
       imported (bmo#1783441)
     * fixed: Thunderbird would hang if calendar event exceeded the year 2035
       (bmo#1789999)
   - Mozilla Thunderbird 102.3.2
     * changed: Thunderbird will try to use POP CRAM-MD5 authentication even
       if not advertised by server (bmo#1789975)
     * fixed: Checking messages on POP3 accounts caused POP folder to lock if
       mail server was slow or non-responsive (bmo#1792451)
     * fixed: Newsgroups named with consecutive dots would not appear when
       refreshing list of newsgroups (bmo#1787789)
     * fixed: Sending news articles containing lines starting with dot were
       sometimes clipped (bmo#1787955)
     * fixed: CardDAV server sync silently failed if sync token expired
       (bmo#1791183)
     * fixed: Contacts from LDAP on macOS address books were not displayed
       (bmo#1791347)
     * fixed: Chat account input now accepts URIs for supported chat
       protocols (bmo#1776706)
     * fixed: Chat ScreenName field was not migrated to new address book
       (bmo#1789990)
     * fixed: Creating a New Event from the Today Pane used the currently
       selected day from the main calendar instead of from the Today Pane
       (bmo#1791203)
     * fixed: `New Event` button in Today Pane was incorrectly disabled
       sometimes (bmo#1792058)
     * fixed: Event reminder windows did not close after being dismissed or
       snoozed (bmo#1791228)
     * fixed: Improved performance of recurring event date calculation
       (bmo#1787677)
     * fixed: Quarterly calendar events on the last day of the month repeated
       one month early (bmo#1789362)
     * fixed: Thunderbird would hang if calendar event exceeded the year 2035
       (bmo#1789999)
     * fixed: Whitespace in calendar events was incorrectly handled when
       upgrading from Thunderbird 91 to 102 (bmo#1790339)
     * fixed: Various visual and UX improvements (bmo#1755623,bmo#17
       83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178
       9728,bmo#1790499)
   - Mozilla Thunderbird 102.3.1
     * changed: Compose window encryption options now only appear for
       encryption technologies that have already been configured (bmo#1788988)
     * changed: Number of contacts in currently selected address book now
       displayed at bottom of Address Book list column (bmo#1745571)
     * fixed: Password prompt did not include server hostname for POP servers
       (bmo#1786920)
     * fixed: `Edit Contact` was missing from Contacts sidebar context menus
       (bmo#1771795)
     * fixed: Address Book contact lists cut off display of some characters,
       the result being unreadable (bmo#1780909)
     * fixed: Menu items for dark-themed alarm dialog were invisible
       on Windows 7 (bmo#1791738)
     * fixed: Various security fixes MFSA 2022-43 (bsc#1204411)
     * CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird
       vulnerable to an impersonation attack by malicious server
       administrators
     * CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird
       vulnerable to a device verification attack
     * CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird
       vulnerable to an impersonation attack
     * CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird
       vulnerable to a data corruption issue
   - Mozilla Thunderbird 102.3
     * changed: Thunderbird will no longer attempt to import account
       passwords when importing from another Thunderbird profile in
       order to prevent profile corruption and permanent data loss.
        (bmo#1790605)
     * changed: Devtools performance profile will use Thunderbird presets
       instead of Web Developer presets (bmo#1785954)
     * fixed: Thunderbird startup performance improvements (bmo#1785967)
     * fixed: Saving email source and images failed (bmo#1777323,bmo#1778804)
     * fixed: Error message was shown repeatedly when temporary disk space
       was full (bmo#1788580)
     * fixed: Attaching OpenPGP keys without a set size to non- encrypted
       messages briefly displayed a size of zero bytes (bmo#1788952)
     * fixed: Global Search entry box initially contained "undefined"
       (bmo#1780963)
     * fixed: Delete from POP Server mail filter rule intermittently failed
       to trigger (bmo#1789418)
     * fixed: Connections to POP3 servers without UIDL support failed
       (bmo#1789314)
     * fixed: Pop accounts with "Fetch headers only" set downloaded complete
       messages if server did not advertise TOP capability (bmo#1789356)
     * fixed: "File -> New -> Address Book Contact" from Compose window did
       not work (bmo#1782418)
     * fixed: Attach "My vCard" option in compose window was not available
       (bmo#1787614)
     * fixed: Improved performance of matching a contact to an email address
       (bmo#1782725)
     * fixed: Address book only recognized a contact's first two email
       addresses (bmo#1777156)
     * fixed: Address book search and autocomplete failed if a contact vCard
       could not be parsed (bmo#1789793)
     * fixed: Downloading NNTP messages for offline use failed (bmo#1785773)
     * fixed: NNTP client became stuck when connecting to Public- Inbox
       servers (bmo#1786203)
     * fixed: Various visual and UX improvements
       (bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
     * fixed: Various security fixes
     * unresolved: No dedicated "Department" field in address book
       (bmo#1777780) MFSA 2022-42 (bsc#1203477)
     * CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264
     * CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on
       transient pages
     * CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in
       threads
     * CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for
       cookies with __Host and __Secure prefix
     * CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
     * CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when
       building WASM on ARM64
     * CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS
       could be executed without warning
     * CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109,
       bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-3800=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-3800=1

   - SUSE Linux Enterprise Workstation Extension 15-SP4:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3800=1

   - SUSE Linux Enterprise Workstation Extension 15-SP3:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3800=1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3800=1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3800=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1

   - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1

   - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x):

      MozillaThunderbird-102.4.0-150200.8.85.1
      MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
      MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
      MozillaThunderbird-translations-other-102.4.0-150200.8.85.1


References:

   https://www.suse.com/security/cve/CVE-2022-3155.html
   https://www.suse.com/security/cve/CVE-2022-3266.html
   https://www.suse.com/security/cve/CVE-2022-39236.html
   https://www.suse.com/security/cve/CVE-2022-39249.html
   https://www.suse.com/security/cve/CVE-2022-39250.html
   https://www.suse.com/security/cve/CVE-2022-39251.html
   https://www.suse.com/security/cve/CVE-2022-40956.html
   https://www.suse.com/security/cve/CVE-2022-40957.html
   https://www.suse.com/security/cve/CVE-2022-40958.html
   https://www.suse.com/security/cve/CVE-2022-40959.html
   https://www.suse.com/security/cve/CVE-2022-40960.html
   https://www.suse.com/security/cve/CVE-2022-40962.html
   https://bugzilla.suse.com/1203477
   https://bugzilla.suse.com/1204411
   https://bugzilla.suse.com/1204421



More information about the sle-updates mailing list