Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2021:0122-1
Rating:	important
References:	bsc#1180623
Cross-References:	CVE-2020-16044
CVSS scores:	CVE-2020-16044 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-16044 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SP1

An update that solves one vulnerability can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

• Mozilla Thunderbird 78.6.1
• changed: MailExtensions: browserAction, composeAction, and messageDisplayAction toolbar buttons now support label and default_label properties (bmo#1583478)
• fixed: Running a quicksearch that returned no results did not offer to re-run as a global search (bmo#1663153)
• fixed: Message search toolbar fixes (bmo#1681010)
• fixed: Very long subject lines distorted the message compose and display windows, making them unusable (bmo#77806)
• fixed: Compose window: Recipient addresses that had not yet been autocompleted were lost when clicking Send button (bmo#1674054)
• fixed: Compose window: New message is no longer marked as "changed" just from tabbing out of the recipient field without editing anything (bmo#1681389)
• fixed: Account autodiscover fixes when using MS Exchange servers (bmo#1679759)
• fixed: LDAP address book stability fix (bmo#1680914)
• fixed: Messages with invalid vcard attachments were not marked as read when viewed in the preview window (bmo#1680468)
• fixed: Chat: Could not add TLS certificate exceptions for XMPP connections (bmo#1590471)
• fixed: Calendar: System timezone was not always properly detected (bmo#1678839)
• fixed: Calendar: Descriptions were sometimes blank when editing a single occurrence of a repeating event (bmo#1664731)
• fixed: Various printing bugfixes (bmo#1676166)
• fixed: Visual consistency and theme improvements (bmo#1682808) MFSA 2021-02 (bsc#1180623)
• CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP1
  zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2021-122=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
  • MozillaThunderbird-debugsource-78.6.1-3.116.1
  • MozillaThunderbird-debuginfo-78.6.1-3.116.1
  • MozillaThunderbird-78.6.1-3.116.1
  • MozillaThunderbird-translations-common-78.6.1-3.116.1
  • MozillaThunderbird-translations-other-78.6.1-3.116.1

References:

• https://www.suse.com/security/cve/CVE-2020-16044.html
• https://bugzilla.suse.com/show_bug.cgi?id=1180623