Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2024:0242-1
Rating:	important
References:	bsc#1218955
Cross-References:	CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755
CVSS scores:	CVE-2024-0741 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-0742 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-0746 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-0747 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2024-0749 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-0750 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-0751 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-0753 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2024-0755 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Package Hub 15 15-SP5

An update that solves nine vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 115.7 (MFSA 2024-04) (bsc#1218955):

• CVE-2024-0741: Out of bounds write in ANGLE
• CVE-2024-0742: Failure to update user input timestamp
• CVE-2024-0746: Crash when listing printers on Linux
• CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set
• CVE-2024-0749: Phishing site popup could show local origin in address bar
• CVE-2024-0750: Potential permissions request bypass via clickjacking
• CVE-2024-0751: Privilege escalation through devtools
• CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain
• CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7

Other fixes:

• new: Autocrypt Gossip key distribution added (bmo#1853674)
• fixed: When starting Thunderbird, unread message count did not appear on collapsed accounts (bmo#1862774)
• fixed: Blank window was sometimes displayed when starting Thunderbird (bmo#1870817)
• fixed: Thunderbird "--chrome" flag incorrectly opened extra messenger.xhtml (bmo#1866915)
• fixed: Add-ons did not start correctly when opening Thunderbird from other programs (bmo#1800423)
• fixed: Drag-and-drop installation of add-ons did not work if Add-ons Manager was opened from Unified Toolbar (bmo#1862978)
• fixed: Double-clicking empty space in message pane incorrectly opened the currently selected message (bmo#1867407)
• fixed: Canceling SMTP send before progress reached 100% did not stop message from sending (bmo#1816540)
• fixed: PDF attachments open in a separate tab did not always restore correctly after restarting Thunderbird (bmo#1846054)
• fixed: Some OpenPGP dialogs were too small for their contents (bmo#1870809)
• fixed: Account Manager did not work with hostnames entered as punycode (bmo#1870720,bmo#1872632)
• fixed: Downloading complete message from POP3 headers caused message tab/window to close when "Close message window/tab on move or delete" was enabled (bmo#1861886)
• fixed: Some ECC GPG keys could not be exported (bmo#1867765)
• fixed: Contacts deleted from mailing list view still visible in Details view (bmo#1799362)
• fixed: After selecting contacts in Address Book and starting a new search, the search results list did not update (bmo#1812726)
• fixed: Various UX and visual improvements (bmo#1866061,bmo#18 67169,bmo#1867728,bmo#1868079,bmo#1869519,bmo#1832149,bmo#185 6495,bmo#1861210,bmo#1861286,bmo#1863296,bmo#1864979)

• fixed: Security fixes

• Mozilla Thunderbird 115.6.1

• new: OAuth2 now supported for comcast.net (bmo#1844810)
• fixed: High CPU usage sometimes occurred with IMAP CONDSTORE (conditional STORE) enabled (bmo#1839256)
• fixed: Replying to a collapsed thread via keyboard shortcut (Ctrl+R/Cmd+R) opened a reply for every message in the thread (bmo#1866819)
• fixed: Enabling Grouped By view after reversing sort order of column header caused messages to be grouped incorrectly (bmo#1868794)
• fixed: Opening thread pane context menu via keyboard did not always scroll view to selection (bmo#1867532)
• fixed: New mail indicator for POP3 accounts did not indicate new messages ready to be downloaded (bmo#1870619)
• fixed: Messages could not be moved to folders using Message > Move To if text or a link in the message had been clicked on first (bmo#1868474)
• fixed: MIME part boundaries were not properly terminated (bmo#1805558)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-242=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-242=1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-242=1
• SUSE Linux Enterprise Workstation Extension 15 SP5
  zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-242=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-translations-other-115.7.0-150200.8.145.1
  • MozillaThunderbird-115.7.0-150200.8.145.1
  • MozillaThunderbird-debugsource-115.7.0-150200.8.145.1
  • MozillaThunderbird-translations-common-115.7.0-150200.8.145.1
  • MozillaThunderbird-debuginfo-115.7.0-150200.8.145.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-other-115.7.0-150200.8.145.1
  • MozillaThunderbird-115.7.0-150200.8.145.1
  • MozillaThunderbird-debugsource-115.7.0-150200.8.145.1
  • MozillaThunderbird-translations-common-115.7.0-150200.8.145.1
  • MozillaThunderbird-debuginfo-115.7.0-150200.8.145.1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
  • MozillaThunderbird-translations-other-115.7.0-150200.8.145.1
  • MozillaThunderbird-115.7.0-150200.8.145.1
  • MozillaThunderbird-debugsource-115.7.0-150200.8.145.1
  • MozillaThunderbird-translations-common-115.7.0-150200.8.145.1
  • MozillaThunderbird-debuginfo-115.7.0-150200.8.145.1
• SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
  • MozillaThunderbird-translations-other-115.7.0-150200.8.145.1
  • MozillaThunderbird-115.7.0-150200.8.145.1
  • MozillaThunderbird-debugsource-115.7.0-150200.8.145.1
  • MozillaThunderbird-translations-common-115.7.0-150200.8.145.1
  • MozillaThunderbird-debuginfo-115.7.0-150200.8.145.1

References:

• https://www.suse.com/security/cve/CVE-2024-0741.html
• https://www.suse.com/security/cve/CVE-2024-0742.html
• https://www.suse.com/security/cve/CVE-2024-0746.html
• https://www.suse.com/security/cve/CVE-2024-0747.html
• https://www.suse.com/security/cve/CVE-2024-0749.html
• https://www.suse.com/security/cve/CVE-2024-0750.html
• https://www.suse.com/security/cve/CVE-2024-0751.html
• https://www.suse.com/security/cve/CVE-2024-0753.html
• https://www.suse.com/security/cve/CVE-2024-0755.html
• https://bugzilla.suse.com/show_bug.cgi?id=1218955