Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2020:1225-1
Rating:	important
References:	bsc#1171186
Cross-References:	CVE-2020-12387 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395 CVE-2020-12397 CVE-2020-6831
CVSS scores:	CVE-2020-12387 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-12387 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12392 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12393 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-12395 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12397 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-6831 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6831 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SP1

An update that solves six vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues: - Update to 68.8.0 ESR MFSA 2020-18 (bsc#1171186) * CVE-2020-12397 (bmo#1617370) Sender Email Address Spoofing using encoded Unicode characters * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Thunderbird 68.8.0

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP1
  zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1225=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
  • MozillaThunderbird-translations-common-68.8.0-3.80.2
  • MozillaThunderbird-debugsource-68.8.0-3.80.2
  • MozillaThunderbird-debuginfo-68.8.0-3.80.2
  • MozillaThunderbird-68.8.0-3.80.2
  • MozillaThunderbird-translations-other-68.8.0-3.80.2

References:

• https://www.suse.com/security/cve/CVE-2020-12387.html
• https://www.suse.com/security/cve/CVE-2020-12392.html
• https://www.suse.com/security/cve/CVE-2020-12393.html
• https://www.suse.com/security/cve/CVE-2020-12395.html
• https://www.suse.com/security/cve/CVE-2020-12397.html
• https://www.suse.com/security/cve/CVE-2020-6831.html
• https://bugzilla.suse.com/show_bug.cgi?id=1171186