Security update for MozillaThunderbird
Announcement ID: | SUSE-SU-2024:3507-1 |
---|---|
Release Date: | 2024-10-01T15:02:22Z |
Rating: | important |
References: | |
Cross-References: |
|
CVSS scores: |
|
Affected Products: |
|
An update that solves 32 vulnerabilities can now be installed.
Description:
This update for MozillaThunderbird fixes the following issues:
- Mozilla Thunderbird 128.2.3 MFSA 2024-43 (bsc#1229821)
- CVE-2024-8394: Crash when aborting verification of OTR chat.
- CVE-2024-8385: WASM type confusion involving ArrayTypes.
- CVE-2024-8381: Type confusion when looking up a property name in a "with" block.
- CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran.
- CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions.
- CVE-2024-8386: SelectElements could be shown over another site if popups are allowed.
- CVE-2024-8387: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. MFSA 2024-37 (bsc#1228648)
- CVE-2024-7518: Fullscreen notification dialog can be obscured by document content.
- CVE-2024-7519: Out of bounds memory access in graphics shared memory handling.
- CVE-2024-7520: Type confusion in WebAssembly.
- CVE-2024-7521: Incomplete WebAssembly exception handing.
- CVE-2024-7522: Out of bounds read in editor component.
- CVE-2024-7525: Missing permission check when creating a StreamFilter.
- CVE-2024-7526: Uninitialized memory used by WebGL.
- CVE-2024-7527: Use-after-free in JavaScript garbage collection.
- CVE-2024-7528: Use-after-free in IndexedDB.
- CVE-2024-7529: Document content could partially obscure security prompts. MFSA 2024-32 (bsc#1226316)
- CVE-2024-6606: Out-of-bounds read in clipboard component.
- CVE-2024-6607: Leaving pointerlock by pressing the escape key could be prevented.
- CVE-2024-6608: Cursor could be moved out of the viewport using pointerlock.
- CVE-2024-6609: Memory corruption in NSS.
- CVE-2024-6610: Form validation popups could block exiting full-screen mode.
- CVE-2024-6600: Memory corruption in WebGL API.
- CVE-2024-6601: Race condition in permission assignment.
- CVE-2024-6602: Memory corruption in NSS.
- CVE-2024-6603: Memory corruption in thread creation.
- CVE-2024-6611: Incorrect handling of SameSite cookies.
- CVE-2024-6612: CSP violation leakage when using devtools.
- CVE-2024-6613: Incorrect listing of stack frames.
- CVE-2024-6614: Incorrect listing of stack frames.
- CVE-2024-6604: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, Thunderbird 128, and Thunderbird 115.13.
- CVE-2024-6615: Memory safety bugs fixed in Firefox 128 and Thunderbird 128.
Bug fixes: - Recommend libfido2-udev in order to try to get security keys (e.g. Yubikeys) working out of the box. (bsc#1184272)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-3507=1
-
openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-3507=1
-
SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3507=1
-
SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3507=1
-
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-3507=1
-
SUSE Linux Enterprise Workstation Extension 15 SP5
zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-3507=1
-
SUSE Linux Enterprise Workstation Extension 15 SP6
zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2024-3507=1
Package List:
-
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
-
SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
- MozillaThunderbird-debugsource-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-other-128.2.3-150200.8.177.1
- MozillaThunderbird-translations-common-128.2.3-150200.8.177.1
- MozillaThunderbird-128.2.3-150200.8.177.1
- MozillaThunderbird-debuginfo-128.2.3-150200.8.177.1
References:
- https://www.suse.com/security/cve/CVE-2024-6600.html
- https://www.suse.com/security/cve/CVE-2024-6601.html
- https://www.suse.com/security/cve/CVE-2024-6602.html
- https://www.suse.com/security/cve/CVE-2024-6603.html
- https://www.suse.com/security/cve/CVE-2024-6604.html
- https://www.suse.com/security/cve/CVE-2024-6606.html
- https://www.suse.com/security/cve/CVE-2024-6607.html
- https://www.suse.com/security/cve/CVE-2024-6608.html
- https://www.suse.com/security/cve/CVE-2024-6609.html
- https://www.suse.com/security/cve/CVE-2024-6610.html
- https://www.suse.com/security/cve/CVE-2024-6611.html
- https://www.suse.com/security/cve/CVE-2024-6612.html
- https://www.suse.com/security/cve/CVE-2024-6613.html
- https://www.suse.com/security/cve/CVE-2024-6614.html
- https://www.suse.com/security/cve/CVE-2024-6615.html
- https://www.suse.com/security/cve/CVE-2024-7518.html
- https://www.suse.com/security/cve/CVE-2024-7519.html
- https://www.suse.com/security/cve/CVE-2024-7520.html
- https://www.suse.com/security/cve/CVE-2024-7521.html
- https://www.suse.com/security/cve/CVE-2024-7522.html
- https://www.suse.com/security/cve/CVE-2024-7525.html
- https://www.suse.com/security/cve/CVE-2024-7526.html
- https://www.suse.com/security/cve/CVE-2024-7527.html
- https://www.suse.com/security/cve/CVE-2024-7528.html
- https://www.suse.com/security/cve/CVE-2024-7529.html
- https://www.suse.com/security/cve/CVE-2024-8381.html
- https://www.suse.com/security/cve/CVE-2024-8382.html
- https://www.suse.com/security/cve/CVE-2024-8384.html
- https://www.suse.com/security/cve/CVE-2024-8385.html
- https://www.suse.com/security/cve/CVE-2024-8386.html
- https://www.suse.com/security/cve/CVE-2024-8387.html
- https://www.suse.com/security/cve/CVE-2024-8394.html
- https://bugzilla.suse.com/show_bug.cgi?id=1184272
- https://bugzilla.suse.com/show_bug.cgi?id=1226316
- https://bugzilla.suse.com/show_bug.cgi?id=1228648
- https://bugzilla.suse.com/show_bug.cgi?id=1229821