Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2022:3800-1
Rating:	important
References:	bsc#1203477 bsc#1204411 bsc#1204421
Cross-References:	CVE-2022-3155 CVE-2022-3266 CVE-2022-39236 CVE-2022-39249 CVE-2022-39250 CVE-2022-39251 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962
CVSS scores:	CVE-2022-3155 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-3266 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-39236 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-39236 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-39249 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-39249 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-39250 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-39250 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-39251 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-39251 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2022-40956 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-40957 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-40958 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2022-40959 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2022-40960 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-40962 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.4 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP4 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.2 SUSE Manager Server 4.3 SUSE Package Hub 15 15-SP3 SUSE Package Hub 15 15-SP4

An update that solves 12 vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

• Mozilla Thunderbird 102.4.0 (bsc#1204421)
• changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102
• fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze
• fixed: Forwarding messages with special characters in Subject failed on Windows
• fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters
• fixed: Address Book display pane continued to show contacts after deletion
• fixed: Printing address book did not include all contact details
• fixed: CardDAV contacts without a Name property did not save to Google Contacts
• fixed: "Publish Calendar" did not work
• fixed: Calendar database storage improvements
• fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar
• fixed: Various visual and UX improvements
• Mozilla Thunderbird 102.3.3
• new: Option added to show containing address book for a contact when using All Address Books in vertical mode (bmo#1778871)
• changed: Thunderbird will try to use POP NTLM authentication even if not advertised by server (bmo#1793349)
• changed: Task List and Today Pane sidebars will no longer load when not visible (bmo#1788549)
• fixed: Sending a message while a recipient pill was being modified did not save changes (bmo#1779785)
• fixed: Nickname column was not available in horizontal view of Address Book (bmo#1778000)
• fixed: Multiline organization values were displayed across two columns in horizontal view of Address Book (bmo#1777780)
• fixed: Contact vCard fields with multiple values such as Categories were truncated when saved (bmo#1792399)
• fixed: ICS calendar files with a FREEBUSY property could not be imported (bmo#1783441)
• fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999)
• Mozilla Thunderbird 102.3.2
• changed: Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server (bmo#1789975)
• fixed: Checking messages on POP3 accounts caused POP folder to lock if mail server was slow or non-responsive (bmo#1792451)
• fixed: Newsgroups named with consecutive dots would not appear when refreshing list of newsgroups (bmo#1787789)
• fixed: Sending news articles containing lines starting with dot were sometimes clipped (bmo#1787955)
• fixed: CardDAV server sync silently failed if sync token expired (bmo#1791183)
• fixed: Contacts from LDAP on macOS address books were not displayed (bmo#1791347)
• fixed: Chat account input now accepts URIs for supported chat protocols (bmo#1776706)
• fixed: Chat ScreenName field was not migrated to new address book (bmo#1789990)
• fixed: Creating a New Event from the Today Pane used the currently selected day from the main calendar instead of from the Today Pane (bmo#1791203)
• fixed: New Event button in Today Pane was incorrectly disabled sometimes (bmo#1792058)
• fixed: Event reminder windows did not close after being dismissed or snoozed (bmo#1791228)
• fixed: Improved performance of recurring event date calculation (bmo#1787677)
• fixed: Quarterly calendar events on the last day of the month repeated one month early (bmo#1789362)
• fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999)
• fixed: Whitespace in calendar events was incorrectly handled when upgrading from Thunderbird 91 to 102 (bmo#1790339)
• fixed: Various visual and UX improvements (bmo#1755623,bmo#17 83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178 9728,bmo#1790499)
• Mozilla Thunderbird 102.3.1
• changed: Compose window encryption options now only appear for encryption technologies that have already been configured (bmo#1788988)
• changed: Number of contacts in currently selected address book now displayed at bottom of Address Book list column (bmo#1745571)
• fixed: Password prompt did not include server hostname for POP servers (bmo#1786920)
• fixed: Edit Contact was missing from Contacts sidebar context menus (bmo#1771795)
• fixed: Address Book contact lists cut off display of some characters, the result being unreadable (bmo#1780909)
• fixed: Menu items for dark-themed alarm dialog were invisible on Windows 7 (bmo#1791738)
• fixed: Various security fixes MFSA 2022-43 (bsc#1204411)
• CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators
• CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack
• CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack
• CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
• Mozilla Thunderbird 102.3
• changed: Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605)
• changed: Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954)
• fixed: Thunderbird startup performance improvements (bmo#1785967)
• fixed: Saving email source and images failed (bmo#1777323,bmo#1778804)
• fixed: Error message was shown repeatedly when temporary disk space was full (bmo#1788580)
• fixed: Attaching OpenPGP keys without a set size to non- encrypted messages briefly displayed a size of zero bytes (bmo#1788952)
• fixed: Global Search entry box initially contained "undefined" (bmo#1780963)
• fixed: Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418)
• fixed: Connections to POP3 servers without UIDL support failed (bmo#1789314)
• fixed: Pop accounts with "Fetch headers only" set downloaded complete messages if server did not advertise TOP capability (bmo#1789356)
• fixed: "File -> New -> Address Book Contact" from Compose window did not work (bmo#1782418)
• fixed: Attach "My vCard" option in compose window was not available (bmo#1787614)
• fixed: Improved performance of matching a contact to an email address (bmo#1782725)
• fixed: Address book only recognized a contact's first two email addresses (bmo#1777156)
• fixed: Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793)
• fixed: Downloading NNTP messages for offline use failed (bmo#1785773)
• fixed: NNTP client became stuck when connecting to Public- Inbox servers (bmo#1786203)
• fixed: Various visual and UX improvements (bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
• fixed: Various security fixes
• unresolved: No dedicated "Department" field in address book (bmo#1777780) MFSA 2022-42 (bsc#1203477)
• CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264
• CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages
• CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads
• CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
• CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
• CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64
• CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning
• CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2022-3800=1
• SUSE Package Hub 15 15-SP3
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3800=1
• SUSE Package Hub 15 15-SP4
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3800=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3800=1
• SUSE Linux Enterprise Workstation Extension 15 SP4
  zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3800=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
  • MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
  • MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
  • MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
  • MozillaThunderbird-102.4.0-150200.8.85.1
• SUSE Package Hub 15 15-SP3 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
  • MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
  • MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
  • MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
  • MozillaThunderbird-102.4.0-150200.8.85.1
• SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
  • MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
  • MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
  • MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
  • MozillaThunderbird-102.4.0-150200.8.85.1
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
  • MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
  • MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
  • MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
  • MozillaThunderbird-102.4.0-150200.8.85.1
• SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64)
  • MozillaThunderbird-translations-other-102.4.0-150200.8.85.1
  • MozillaThunderbird-translations-common-102.4.0-150200.8.85.1
  • MozillaThunderbird-debuginfo-102.4.0-150200.8.85.1
  • MozillaThunderbird-debugsource-102.4.0-150200.8.85.1
  • MozillaThunderbird-102.4.0-150200.8.85.1

References:

• https://www.suse.com/security/cve/CVE-2022-3155.html
• https://www.suse.com/security/cve/CVE-2022-3266.html
• https://www.suse.com/security/cve/CVE-2022-39236.html
• https://www.suse.com/security/cve/CVE-2022-39249.html
• https://www.suse.com/security/cve/CVE-2022-39250.html
• https://www.suse.com/security/cve/CVE-2022-39251.html
• https://www.suse.com/security/cve/CVE-2022-40956.html
• https://www.suse.com/security/cve/CVE-2022-40957.html
• https://www.suse.com/security/cve/CVE-2022-40958.html
• https://www.suse.com/security/cve/CVE-2022-40959.html
• https://www.suse.com/security/cve/CVE-2022-40960.html
• https://www.suse.com/security/cve/CVE-2022-40962.html
• https://bugzilla.suse.com/show_bug.cgi?id=1203477
• https://bugzilla.suse.com/show_bug.cgi?id=1204411
• https://bugzilla.suse.com/show_bug.cgi?id=1204421