Security update for MozillaThunderbird

Announcement ID: SUSE-SU-2022:4085-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2022-42927 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-42927 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • CVE-2022-42928 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-42928 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-42929 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2022-42929 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2022-42932 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2022-42932 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-45403 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2022-45404 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2022-45405 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2022-45406 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-45408 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2022-45409 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-45410 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2022-45411 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2022-45412 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2022-45416 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2022-45418 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2022-45420 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2022-45421 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
  • openSUSE Leap 15.4
  • SUSE Linux Enterprise Desktop 15 SP3
  • SUSE Linux Enterprise Desktop 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise Micro 5.1
  • SUSE Linux Enterprise Micro 5.2
  • SUSE Linux Enterprise Micro 5.3
  • SUSE Linux Enterprise Micro 5.4
  • SUSE Linux Enterprise Real Time 15 SP4
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Linux Enterprise Workstation Extension 15 SP3
  • SUSE Linux Enterprise Workstation Extension 15 SP4
  • SUSE Manager Proxy 4.2
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.2
  • SUSE Manager Server 4.3
  • SUSE Package Hub 15 15-SP3
  • SUSE Package Hub 15 15-SP4

An update that solves 17 vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

  • Fixed various security issues (MFSA 2022-49, bsc#1205270):
  • CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
  • CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
  • CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
  • CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
  • CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
  • CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
  • CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
  • CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
  • CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
  • CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
  • CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
  • CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
  • CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5

  • Fixed various security issues: (MFSA 2022-46, bsc#1204421):

  • CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
  • CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
  • CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
  • CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4

  • Mozilla Thunderbird 102.5

  • changed: Ctrl+N shortcut to create new contacts from address book restored (bmo#1751288)
  • fixed: Account Settings UI did not update to reflect default identity changes (bmo#1782646)
  • fixed: New POP mail notifications were incorrectly shown for messages marked by filters as read or junk (bmo#1787531)
  • fixed: Connecting to an IMAP server configured to use PREAUTH caused Thunderbird to hang (bmo#1798161)
  • fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281)
  • fixed: News messages sent using "Send Later" failed to send after going back online (bmo#1794997)
  • fixed: "Download/Sync Now..." did not completely sync all newsgroups before going offline (bmo#1795547)
  • fixed: Username was missing from error dialog on failed login to news server (bmo#1796964)
  • fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775)
  • fixed: Add-on "Contribute" button in Add-ons Manager did not work (bmo#1795751)
  • fixed: Help text for /part Matrix command was incorrect (bmo#1795578)
  • fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927)

  • Mozilla Thunderbird 102.4.2

  • changed: "Address Book" button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903)
  • fixed: Messages fetched from POP server in Fetch headers only mode disappeared when moved to different folder by filter action (bmo#1793374)
  • fixed: Thunderbird re-downloaded locally deleted messages from a POP server when "Leave messages on server" and "Until I delete them" were enabled (bmo#1796903)
  • fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920)
  • fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599)
  • fixed: Retrieving passwords for authenticated NNTP accounts could fail due to obsolete preferences in a users profile on every startup (bmo#1770594)
  • fixed: Get Next n Messages did not consistently fetch all messages requested from NNTP server (bmo#1794185)
  • fixed: Get Messages button unable to fetch messages from NNTP server if root folder not selected (bmo#1792362)
  • fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199)
  • fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264)
  • fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306)
  • fixed: "Today" highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176)

  • Mozilla Thunderbird 102.4.1

  • new: Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates (bmo#1793415)
  • fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289)
  • fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716)
  • fixed: -remote command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323)
  • fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805)
  • fixed: VCards with nickname field set could not be edited (bmo#1793877)
  • fixed: Some recurring events were missing from Agenda on first load (bmo#1771168)
  • fixed: Download requests for remote ICS calendars incorrectly set "Accept" header to text/xml (bmo#1793757)
  • fixed: Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month (bmo#1266797)
  • fixed: Various visual and UX improvements (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)

  • changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 (bmo#1790610)

  • fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze (bmo#1792675)
  • fixed: Forwarding messages with special characters in Subject failed on Windows (bmo#1782173)
  • fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters (bmo#1789589)
  • fixed: Address Book display pane continued to show contacts after deletion (bmo#1777808)
  • fixed: Printing address book did not include all contact details (bmo#1782076)
  • fixed: CardDAV contacts without a Name property did not save to Google Contacts (bmo#1792101)
  • fixed: "Publish Calendar" did not work (bmo#1794471)
  • fixed: Calendar database storage improvements (bmo#1792124)
  • fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar (bmo#1792923)
  • fixed: Various visual and UX improvements (bmo#1776093,bmo#17 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2022-4085=1
  • SUSE Package Hub 15 15-SP3
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-4085=1
  • SUSE Package Hub 15 15-SP4
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4085=1
  • SUSE Linux Enterprise Workstation Extension 15 SP3
    zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-4085=1
  • SUSE Linux Enterprise Workstation Extension 15 SP4
    zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-4085=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    • MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
    • MozillaThunderbird-102.5.0-150200.8.90.1
    • MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
    • MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
    • MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
  • SUSE Package Hub 15 15-SP3 (aarch64 ppc64le s390x)
    • MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
    • MozillaThunderbird-102.5.0-150200.8.90.1
    • MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
    • MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
    • MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
  • SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x)
    • MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
    • MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
    • MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
    • MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
    • MozillaThunderbird-102.5.0-150200.8.90.1
  • SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
    • MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
    • MozillaThunderbird-102.5.0-150200.8.90.1
    • MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
    • MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
    • MozillaThunderbird-debugsource-102.5.0-150200.8.90.1
  • SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64)
    • MozillaThunderbird-translations-common-102.5.0-150200.8.90.1
    • MozillaThunderbird-102.5.0-150200.8.90.1
    • MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1
    • MozillaThunderbird-translations-other-102.5.0-150200.8.90.1
    • MozillaThunderbird-debugsource-102.5.0-150200.8.90.1

References: