Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2024:4148-1
Release Date:	2024-12-03T09:10:23Z
Rating:	important
References:	bsc#1233650 bsc#1233695
Cross-References:	CVE-2024-11691 CVE-2024-11692 CVE-2024-11693 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11698 CVE-2024-11699
CVSS scores:	CVE-2024-11691 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-11692 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-11693 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-11694 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-11695 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-11696 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-11697 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-11698 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-11699 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP6 SUSE Package Hub 15 15-SP5 SUSE Package Hub 15 15-SP6

An update that solves nine vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

• Mozilla Thunderbird 128.5
• fixed: IMAP could crash when reading cached messages
• fixed: Enabling "Show Folder Size" on Maildir profile could render Thunderbird unusable
• fixed: Messages corrupted by folder compaction were only fixed by user intervention
• fixed: Reading a message from past the end of an mbox file did not cause an error
• fixed: View -> Folders had duplicate F access keys
• fixed: Add-ons adding columns to the message list could fail and cause display issue
• fixed: "Empty trash on exit" and "Expunge inbox on exit" did not always work
• fixed: Selecting a display option in View -> Tasks did not apply in the Task interface
• fixed: Security fixes MFSA 2024-68 (bsc#1233695)
• CVE-2024-11691 Out-of-bounds write in Apple GPU drivers via WebGL
• CVE-2024-11692 Select list elements could be shown over another site
• CVE-2024-11693 Download Protections were bypassed by .library-ms files on Windows
• CVE-2024-11694 CSP Bypass and XSS Exposure via Web Compatibility Shims
• CVE-2024-11695 URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
• CVE-2024-11696 Unhandled Exception in Add-on Signature Verification
• CVE-2024-11697 Improper Keypress Handling in Executable File Confirmation Dialog
• CVE-2024-11698 Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS

• CVE-2024-11699 Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5

• Handle upstream changes with esr-prefix of desktop-file (bsc#1233650)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-4148=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2024-4148=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4148=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4148=1
• SUSE Linux Enterprise Workstation Extension 15 SP5
  zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-4148=1
• SUSE Linux Enterprise Workstation Extension 15 SP6
  zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2024-4148=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1
• SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1
• SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
  • MozillaThunderbird-translations-common-128.5.0-150200.8.191.1
  • MozillaThunderbird-128.5.0-150200.8.191.1
  • MozillaThunderbird-debugsource-128.5.0-150200.8.191.1
  • MozillaThunderbird-translations-other-128.5.0-150200.8.191.1
  • MozillaThunderbird-debuginfo-128.5.0-150200.8.191.1

References:

• https://www.suse.com/security/cve/CVE-2024-11691.html
• https://www.suse.com/security/cve/CVE-2024-11692.html
• https://www.suse.com/security/cve/CVE-2024-11693.html
• https://www.suse.com/security/cve/CVE-2024-11694.html
• https://www.suse.com/security/cve/CVE-2024-11695.html
• https://www.suse.com/security/cve/CVE-2024-11696.html
• https://www.suse.com/security/cve/CVE-2024-11697.html
• https://www.suse.com/security/cve/CVE-2024-11698.html
• https://www.suse.com/security/cve/CVE-2024-11699.html
• https://bugzilla.suse.com/show_bug.cgi?id=1233650
• https://bugzilla.suse.com/show_bug.cgi?id=1233695