Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2020:1027-1
Rating:	important
References:	bsc#1168630 bsc#1168874
Cross-References:	CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825
CVSS scores:	CVE-2020-6819 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6819 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-6820 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6820 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-6821 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-6821 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-6822 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-6822 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6825 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6825 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SP1

An update that solves five vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird to version 68.7.0 fixes the following issues:

• CVE-2020-6819: Use-after-free while running the nsDocShell destructor (boo#1168630)
• CVE-2020-6820: Use-after-free when handling a ReadableStream (boo#1168630)
• CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage() (boo#1168874)
• CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images (boo#1168874)
• CVE-2020-6825: Memory safety bugs fixed (boo#1168874)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP1
  zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1027=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
  • MozillaThunderbird-68.7.0-3.77.1
  • MozillaThunderbird-debugsource-68.7.0-3.77.1
  • MozillaThunderbird-debuginfo-68.7.0-3.77.1
  • MozillaThunderbird-translations-common-68.7.0-3.77.1
  • MozillaThunderbird-translations-other-68.7.0-3.77.1

References:

• https://www.suse.com/security/cve/CVE-2020-6819.html
• https://www.suse.com/security/cve/CVE-2020-6820.html
• https://www.suse.com/security/cve/CVE-2020-6821.html
• https://www.suse.com/security/cve/CVE-2020-6822.html
• https://www.suse.com/security/cve/CVE-2020-6825.html
• https://bugzilla.suse.com/show_bug.cgi?id=1168630
• https://bugzilla.suse.com/show_bug.cgi?id=1168874