openSUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0231-1 Rating: important References: #1162777 #1163368 Cross-References: CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6797 CVE-2020-6798 CVE-2020-6800 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 68.5 (bsc#1162777) MFSA 2020-07 (bsc#1163368) * CVE-2020-6793 (bmo#1608539) Out-of-bounds read when processing certain email messages * CVE-2020-6794 (bmo#1606619) Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords * CVE-2020-6795 (bmo#1611105) Crash processing S/MIME messages with multiple signatures * CVE-2020-6797 (bmo#1596668) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX * CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection * CVE-2020-6792 (bmo#1609607) Message ID calculcation was based on uninitialized data * CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543, bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785) Memory safety bugs fixed in Thunderbird 68.5 * new: Support for Client Identity IMAP/SMTP Service Extension (bmo#1532388) * new: Support for OAuth 2.0 authentication for POP3 accounts (bmo#1538409) * fixed: Status area goes blank during account setup (bmo#1593122) * fixed: Calendar: Could not remove color for default categories (bmo#1584853) * fixed: Calendar: Prevent calendar component loading multiple times (bmo#1606375) * fixed: Calendar: Today pane did not retain width between sessions (bmo#1610207) * unresolved: When upgrading from Thunderbird version 60 to version 68, add-ons are not automatically updated during the upgrade process. They will however be updated during the add- on update check. It is of course possible to reinstall compatible add-ons via the Add-ons Manager or via addons.thunderbird.net. (bmo#1574183) * changed: Calendar: Task and Event tree colours adjusted for the dark theme (bmo#1608344) * fixed: Retrieval of S/MIME certificates from LDAP failed (bmo#1604773) * fixed: Address-parsing crash on some IMAP servers when preference mail.imap.use_envelope_cmd was set (bmo#1609690) * fixed: Incorrect forwarding of HTML messages caused SMTP servers to respond with a timeout (bmo#1222046) * fixed: Calendar: Various parts of the calendar UI stopped working when a second Thunderbird window opened (bmo#1608407) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-231=1 Package List: - openSUSE Leap 15.1 (x86_64): MozillaThunderbird-68.5.0-lp151.2.25.1 MozillaThunderbird-debuginfo-68.5.0-lp151.2.25.1 MozillaThunderbird-debugsource-68.5.0-lp151.2.25.1 MozillaThunderbird-translations-common-68.5.0-lp151.2.25.1 MozillaThunderbird-translations-other-68.5.0-lp151.2.25.1 References: https://www.suse.com/security/cve/CVE-2020-6792.html https://www.suse.com/security/cve/CVE-2020-6793.html https://www.suse.com/security/cve/CVE-2020-6794.html https://www.suse.com/security/cve/CVE-2020-6795.html https://www.suse.com/security/cve/CVE-2020-6797.html https://www.suse.com/security/cve/CVE-2020-6798.html https://www.suse.com/security/cve/CVE-2020-6800.html https://bugzilla.suse.com/1162777 https://bugzilla.suse.com/1163368 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org