Recommended update for MozillaThunderbird

Announcement ID:	SUSE-SU-2019:2912-1
Rating:	important
References:	bsc#1149126 bsc#1149429 bsc#1151186 bsc#1152778 bsc#1153879 bsc#1154738
Cross-References:	CVE-2019-11757 CVE-2019-11758 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903
CVSS scores:	CVE-2019-11757 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11758 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11759 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11760 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11761 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2019-11762 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11763 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11764 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-15903 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15903 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15903 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1

An update that solves nine vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird to version 68.2.1 provides the following fixes:

• Security issues fixed (bsc#1154738):
• CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
• CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
• CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
• CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
• CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
• CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
• CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
• CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
• CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).

Other fixes (bsc#1153879): * Some attachments couldn't be opened in messages originating from MS Outlook 2016. * Address book import from CSV. * Performance problem in message body search. * Ctrl+Enter to send a message would open an attachment if the attachment pane had focus. * Calendar: Issues with "Today Pane" start-up. * Calendar: Glitches with custom repeat and reminder number input. * Calendar: Problems with WCAP provider. * A language for the user interface can now be chosen in the advanced settings
* Fixed an issue with Google authentication (OAuth2) * Fixed an issue where selected or unread messages were not shown in the correct color in the thread pane under some circumstances * Fixed an issue where when using a language pack, names of standard folders were not localized (bsc#1149126) * Fixed an issue where the address book default startup directory in preferences panel not persisted * Fixed various visual glitches * Fixed issues with the chat * Fixed building with rust >= 1.38. * Fixrd LTO build without PGO. * Removed kde.js since disabling instantApply breaks extensions and is now obsolete with the move to HTML views for preferences. (bsc#1151186) * Updated create-tar.sh. (bsc#1152778) * Deactivated the crashreporter for the last remaining arch.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP1
  zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2912=1
• SUSE Linux Enterprise Workstation Extension 15
  zypper in -t patch SUSE-SLE-Product-WE-15-2019-2912=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
  • MozillaThunderbird-debuginfo-68.2.1-3.58.1
  • MozillaThunderbird-translations-common-68.2.1-3.58.1
  • MozillaThunderbird-debugsource-68.2.1-3.58.1
  • MozillaThunderbird-68.2.1-3.58.1
  • MozillaThunderbird-translations-other-68.2.1-3.58.1
• SUSE Linux Enterprise Workstation Extension 15 (x86_64)
  • MozillaThunderbird-debuginfo-68.2.1-3.58.1
  • MozillaThunderbird-translations-common-68.2.1-3.58.1
  • MozillaThunderbird-debugsource-68.2.1-3.58.1
  • MozillaThunderbird-68.2.1-3.58.1
  • MozillaThunderbird-translations-other-68.2.1-3.58.1

References:

• https://www.suse.com/security/cve/CVE-2019-11757.html
• https://www.suse.com/security/cve/CVE-2019-11758.html
• https://www.suse.com/security/cve/CVE-2019-11759.html
• https://www.suse.com/security/cve/CVE-2019-11760.html
• https://www.suse.com/security/cve/CVE-2019-11761.html
• https://www.suse.com/security/cve/CVE-2019-11762.html
• https://www.suse.com/security/cve/CVE-2019-11763.html
• https://www.suse.com/security/cve/CVE-2019-11764.html
• https://www.suse.com/security/cve/CVE-2019-15903.html
• https://bugzilla.suse.com/show_bug.cgi?id=1149126
• https://bugzilla.suse.com/show_bug.cgi?id=1149429
• https://bugzilla.suse.com/show_bug.cgi?id=1151186
• https://bugzilla.suse.com/show_bug.cgi?id=1152778
• https://bugzilla.suse.com/show_bug.cgi?id=1153879
• https://bugzilla.suse.com/show_bug.cgi?id=1154738