Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2023:3664-1
Rating:	critical
References:	#1214606 #1215231 #1215245
Cross-References:	CVE-2023-4051 CVE-2023-4053 CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4576 CVE-2023-4577 CVE-2023-4578 CVE-2023-4580 CVE-2023-4581 CVE-2023-4582 CVE-2023-4583 CVE-2023-4584 CVE-2023-4585 CVE-2023-4863
CVSS scores:	CVE-2023-4051 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-4053 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-4573 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-4574 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-4575 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-4576 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2023-4577 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-4578 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-4580 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-4581 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2023-4582 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4583 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-4584 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4585 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4863 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-4863 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP4 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Package Hub 15 15-SP4 SUSE Package Hub 15 15-SP5

An update that solves 15 vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Security fixes:

• Mozilla Thunderbird 115.2.2 (MFSA 2023-40, bsc#1215245)

• CVE-2023-4863: Fixed heap buffer overflow in libwebp (bmo#1852649).

• Mozilla Thunderbird 115.2 (MFSA 2023-38, bsc#1214606)

• CVE-2023-4573: Memory corruption in IPC CanvasTranslator (bmo#1846687)
• CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback (bmo#1846688)
• CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback (bmo#1846689)
• CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation (bmo#1846694)
• CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics (bmo#1847397)
• CVE-2023-4051: Full screen notification obscured by file open dialog (bmo#1821884)
• CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception (bmo#1839007)
• CVE-2023-4053: Full screen notification obscured by external program (bmo#1839079)
• CVE-2023-4580: Push notifications saved to disk unencrypted (bmo#1843046)
• CVE-2023-4581: XLL file extensions were downloadable without warnings (bmo#1843758)
• CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv (bmo#1773874)
• CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window (bmo#1842030)
• CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529)
• CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999)

Other fixes:

Mozilla Thunderbird 115.2.1 * new: Column separators are now shown between all columns in tree view (bmo#1847441) * fixed: Crash reporter did not work in Thunderbird Flatpak (bmo#1843102) * fixed: New mail notification always opened message in message pane, even if pane was disabled (bmo#1840092) * fixed: After moving an IMAP message to another folder, the incorrect message was selected in the message list (bmo#1845376) * fixed: Adding a tag to an IMAP message opened in a tab failed (bmo#1844452) * fixed: Junk/Spam folders were not always shown in Unified Folders mode (bmo#1838672) * fixed: Middle-clicking a folder or message did not open it in a background tab, as in previous versions (bmo#1842482) * fixed: Settings tab visual improvements: Advanced Fonts dialog, Section headers hidden behind search box (bmo#1717382,bmo#1846751) * fixed: Various visual and style fixes (bmo#1843707,bmo#1849823)

Mozilla Thunderbird 115.2 * new: Thunderbird MSIX packages are now published on archive.mozilla.org (bmo#1817657) * changed: Size, Unread, and Total columns are now right- aligned (bmo#1848604) * changed: Newsgroup names in message list header are now abbreviated (bmo#1833298) * fixed: Message compose window did not apply theme colors to menus (bmo#1845699) * fixed: Reading the second new message in a folder cleared the unread indicator of all other new messages (bmo#1839805) * fixed: Displayed counts of unread or flagged messages could become out-of-sync (bmo#1846860) * fixed: Deleting a message from the context menu with messages sorted in chronological order and smooth scroll enabled caused message list to scroll to top (bmo#1843462) * fixed: Repeatedly switching accounts in Subscribe dialog caused tree view to stop updating (bmo#1845593) * fixed: "Ignore thread" caused message cards to display incorrectly in message list (bmo#1847966) * fixed: Creating tags from unified toolbar failed (bmo#1846336) * fixed: Cross-folder navigation using F and N did not work (bmo#1845011) * fixed: Account Manager did not resize to fit content, causing "Close" button to become hidden outside bounds of dialog when too many accounts were listed (bmo#1847555) * fixed: Remote content exceptions could not be added in Settings (bmo#1847576) * fixed: Newsgroup list file did not get updated after adding a new NNTP server (bmo#1845464) * fixed: "Download all headers" option in NNTP "Download Headers" dialog was incorrectly selected by default (bmo#1845457) * fixed: "Convert to event/task" was missing from mail context menu (bmo#1817705) * fixed: Events and tasks were not shown in some cases despite being present on remote server (bmo#1827100) * fixed: Various visual and UX improvements (bmo#1844244,bmo#1845645)

• Mozilla Thunderbird 115.1.1
• fixed: Some HTML emails printed headers on first page and message on subsequent pages (bmo#1843628)
• fixed: Deleting messages from message list sometimes scrolled list to bottom, selecting bottommost message (bmo#1835173)
• fixed: Width of icon columns (like Junk or Starred) in message list did not adjust when UI density was changed (bmo#1843014)
• fixed: Old OpenPGP secret keys could not be used to decrypt messages under certain circumstances (bmo#1835786)
• fixed: When multiple folder modes were active, tab focus navigated through all folder mode options before reaching message list (bmo#1842060)
• fixed: Unread message count badge was not displayed on parent folders of subfolder containing unread messages (bmo#1844534)
• fixed: "Undo archive" (via Ctrl-Z) did not un-archive previously archived messages (bmo#1829340)
• fixed: "New" button dropdown menu in "Message Filters" dialog could not be opened via keyboard navigation (bmo#1843511)
• fixed: "Show New Mail Alert for" input field in "Customize New Mail Alert" dialog had zero width when using certain language packs (bmo#1845832)
• fixed: "Account Wizard" dialog was too narrow when adding a news server, partially hiding confirmation buttons (bmo#1846588)
• fixed: Link Properties and Image Properties dialogs in the composer were too wide (bmo#1816850)
• fixed: Thunderbird version number and details in "About" dialog were not automatically read by screen readers when first opening dialog (bmo#1847078)
• fixed: Flatpak improvements and bug fixes (bmo#1825399,bmo#1843094,bmo#1843097)
• fixed: Various visual and UX improvements (bmo#1846262)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP5
  zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2023-3664=1
• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-3664=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-3664=1
• SUSE Package Hub 15 15-SP4
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-3664=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-3664=1
• SUSE Linux Enterprise Workstation Extension 15 SP4
  zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2023-3664=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1
• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1
• SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1
• SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64)
  • MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-common-115.2.2-150200.8.130.1
  • MozillaThunderbird-115.2.2-150200.8.130.1
  • MozillaThunderbird-debugsource-115.2.2-150200.8.130.1
  • MozillaThunderbird-translations-other-115.2.2-150200.8.130.1

References:

• https://www.suse.com/security/cve/CVE-2023-4051.html
• https://www.suse.com/security/cve/CVE-2023-4053.html
• https://www.suse.com/security/cve/CVE-2023-4573.html
• https://www.suse.com/security/cve/CVE-2023-4574.html
• https://www.suse.com/security/cve/CVE-2023-4575.html
• https://www.suse.com/security/cve/CVE-2023-4576.html
• https://www.suse.com/security/cve/CVE-2023-4577.html
• https://www.suse.com/security/cve/CVE-2023-4578.html
• https://www.suse.com/security/cve/CVE-2023-4580.html
• https://www.suse.com/security/cve/CVE-2023-4581.html
• https://www.suse.com/security/cve/CVE-2023-4582.html
• https://www.suse.com/security/cve/CVE-2023-4583.html
• https://www.suse.com/security/cve/CVE-2023-4584.html
• https://www.suse.com/security/cve/CVE-2023-4585.html
• https://www.suse.com/security/cve/CVE-2023-4863.html
• https://bugzilla.suse.com/show_bug.cgi?id=1214606
• https://bugzilla.suse.com/show_bug.cgi?id=1215231
• https://bugzilla.suse.com/show_bug.cgi?id=1215245