Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2024:3507-1
Release Date:	2024-10-01T15:02:22Z
Rating:	important
References:	bsc#1184272 bsc#1226316 bsc#1228648 bsc#1229821
Cross-References:	CVE-2024-6600 CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6615 CVE-2024-7518 CVE-2024-7519 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529 CVE-2024-8381 CVE-2024-8382 CVE-2024-8384 CVE-2024-8385 CVE-2024-8386 CVE-2024-8387 CVE-2024-8394
CVSS scores:	CVE-2024-6600 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2024-6601 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-6602 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L CVE-2024-6603 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVE-2024-6604 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-6606 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L CVE-2024-6607 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-6608 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2024-6608 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2024-6609 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L CVE-2024-6609 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-6610 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L CVE-2024-6610 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2024-6611 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-6612 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-6614 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-6615 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7518 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2024-7518 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2024-7519 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7519 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-7520 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7520 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7521 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7521 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7522 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L CVE-2024-7522 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7525 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2024-7525 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2024-7526 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L CVE-2024-7526 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-7526 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-7527 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7527 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7528 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7528 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7529 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2024-7529 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2024-8381 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2024-8381 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8382 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2024-8382 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-8384 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-8384 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8385 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2024-8385 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8386 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-8386 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-8387 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-8387 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8394 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP6 SUSE Package Hub 15 15-SP5 SUSE Package Hub 15 15-SP6

An update that solves 32 vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

• Mozilla Thunderbird 128.2.3 MFSA 2024-43 (bsc#1229821)
• CVE-2024-8394: Crash when aborting verification of OTR chat.
• CVE-2024-8385: WASM type confusion involving ArrayTypes.
• CVE-2024-8381: Type confusion when looking up a property name in a "with" block.
• CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran.
• CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions.
• CVE-2024-8386: SelectElements could be shown over another site if popups are allowed.
• CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. MFSA 2024-37 (bsc#1228648)
• CVE-2024-7518: Fullscreen notification dialog can be obscured by document content.
• CVE-2024-7519: Out of bounds memory access in graphics shared memory handling.
• CVE-2024-7520: Type confusion in WebAssembly.
• CVE-2024-7521: Incomplete WebAssembly exception handing.
• CVE-2024-7522: Out of bounds read in editor component.
• CVE-2024-7525: Missing permission check when creating a StreamFilter.
• CVE-2024-7526: Uninitialized memory used by WebGL.
• CVE-2024-7527: Use-after-free in JavaScript garbage collection.
• CVE-2024-7528: Use-after-free in IndexedDB.
• CVE-2024-7529: Document content could partially obscure security prompts. MFSA 2024-32 (bsc#1226316)
• CVE-2024-6606: Out-of-bounds read in clipboard component.
• CVE-2024-6607: Leaving pointerlock by pressing the escape key could be prevented.
• CVE-2024-6608: Cursor could be moved out of the viewport using pointerlock.
• CVE-2024-6609: Memory corruption in NSS.
• CVE-2024-6610: Form validation popups could block exiting full-screen mode.
• CVE-2024-6600: Memory corruption in WebGL API.
• CVE-2024-6601: Race condition in permission assignment.
• CVE-2024-6602: Memory corruption in NSS.
• CVE-2024-6603: Memory corruption in thread creation.
• CVE-2024-6611: Incorrect handling of SameSite cookies.
• CVE-2024-6612: CSP violation leakage when using devtools.
• CVE-2024-6613: Incorrect listing of stack frames.
• CVE-2024-6614: Incorrect listing of stack frames.
• CVE-2024-6604: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, Thunderbird 128, and Thunderbird 115.13.
• CVE-2024-6615: Memory safety bugs fixed in Firefox 128 and Thunderbird 128.

Bug fixes: - Recommend libfido2-udev in order to try to get security keys (e.g. Yubikeys) working out of the box. (bsc#1184272)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-3507=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2024-3507=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3507=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3507=1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-3507=1
• SUSE Linux Enterprise Workstation Extension 15 SP5
  zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-3507=1
• SUSE Linux Enterprise Workstation Extension 15 SP6
  zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2024-3507=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
• SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
  • MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
  • MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
  • MozillaThunderbird-128.2.3-150200.8.177.1
  • MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1

References:

• https://www.suse.com/security/cve/CVE-2024-6600.html
• https://www.suse.com/security/cve/CVE-2024-6601.html
• https://www.suse.com/security/cve/CVE-2024-6602.html
• https://www.suse.com/security/cve/CVE-2024-6603.html
• https://www.suse.com/security/cve/CVE-2024-6604.html
• https://www.suse.com/security/cve/CVE-2024-6606.html
• https://www.suse.com/security/cve/CVE-2024-6607.html
• https://www.suse.com/security/cve/CVE-2024-6608.html
• https://www.suse.com/security/cve/CVE-2024-6609.html
• https://www.suse.com/security/cve/CVE-2024-6610.html
• https://www.suse.com/security/cve/CVE-2024-6611.html
• https://www.suse.com/security/cve/CVE-2024-6612.html
• https://www.suse.com/security/cve/CVE-2024-6613.html
• https://www.suse.com/security/cve/CVE-2024-6614.html
• https://www.suse.com/security/cve/CVE-2024-6615.html
• https://www.suse.com/security/cve/CVE-2024-7518.html
• https://www.suse.com/security/cve/CVE-2024-7519.html
• https://www.suse.com/security/cve/CVE-2024-7520.html
• https://www.suse.com/security/cve/CVE-2024-7521.html
• https://www.suse.com/security/cve/CVE-2024-7522.html
• https://www.suse.com/security/cve/CVE-2024-7525.html
• https://www.suse.com/security/cve/CVE-2024-7526.html
• https://www.suse.com/security/cve/CVE-2024-7527.html
• https://www.suse.com/security/cve/CVE-2024-7528.html
• https://www.suse.com/security/cve/CVE-2024-7529.html
• https://www.suse.com/security/cve/CVE-2024-8381.html
• https://www.suse.com/security/cve/CVE-2024-8382.html
• https://www.suse.com/security/cve/CVE-2024-8384.html
• https://www.suse.com/security/cve/CVE-2024-8385.html
• https://www.suse.com/security/cve/CVE-2024-8386.html
• https://www.suse.com/security/cve/CVE-2024-8387.html
• https://www.suse.com/security/cve/CVE-2024-8394.html
• https://bugzilla.suse.com/show_bug.cgi?id=1184272
• https://bugzilla.suse.com/show_bug.cgi?id=1226316
• https://bugzilla.suse.com/show_bug.cgi?id=1228648
• https://bugzilla.suse.com/show_bug.cgi?id=1229821