# Security update for MozillaThunderbird Announcement ID: SUSE-SU-2023:3664-1 Rating: critical References: * #1214606 * #1215231 * #1215245 Cross-References: * CVE-2023-4051 * CVE-2023-4053 * CVE-2023-4573 * CVE-2023-4574 * CVE-2023-4575 * CVE-2023-4576 * CVE-2023-4577 * CVE-2023-4578 * CVE-2023-4580 * CVE-2023-4581 * CVE-2023-4582 * CVE-2023-4583 * CVE-2023-4584 * CVE-2023-4585 * CVE-2023-4863 CVSS scores: * CVE-2023-4051 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-4053 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2023-4573 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-4574 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-4575 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-4576 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N * CVE-2023-4577 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-4578 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-4580 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2023-4581 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N * CVE-2023-4582 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2023-4583 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-4584 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2023-4585 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2023-4863 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2023-4863 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Workstation Extension 15 SP4 * SUSE Linux Enterprise Workstation Extension 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * SUSE Package Hub 15 15-SP4 * SUSE Package Hub 15 15-SP5 An update that solves 15 vulnerabilities can now be installed. ## Description: This update for MozillaThunderbird fixes the following issues: Security fixes: * Mozilla Thunderbird 115.2.2 (MFSA 2023-40, bsc#1215245) * CVE-2023-4863: Fixed heap buffer overflow in libwebp (bmo#1852649). * Mozilla Thunderbird 115.2 (MFSA 2023-38, bsc#1214606) * CVE-2023-4573: Memory corruption in IPC CanvasTranslator (bmo#1846687) * CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback (bmo#1846688) * CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback (bmo#1846689) * CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation (bmo#1846694) * CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics (bmo#1847397) * CVE-2023-4051: Full screen notification obscured by file open dialog (bmo#1821884) * CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception (bmo#1839007) * CVE-2023-4053: Full screen notification obscured by external program (bmo#1839079) * CVE-2023-4580: Push notifications saved to disk unencrypted (bmo#1843046) * CVE-2023-4581: XLL file extensions were downloadable without warnings (bmo#1843758) * CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv (bmo#1773874) * CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window (bmo#1842030) * CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529) * CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999) Other fixes: Mozilla Thunderbird 115.2.1 * new: Column separators are now shown between all columns in tree view (bmo#1847441) * fixed: Crash reporter did not work in Thunderbird Flatpak (bmo#1843102) * fixed: New mail notification always opened message in message pane, even if pane was disabled (bmo#1840092) * fixed: After moving an IMAP message to another folder, the incorrect message was selected in the message list (bmo#1845376) * fixed: Adding a tag to an IMAP message opened in a tab failed (bmo#1844452) * fixed: Junk/Spam folders were not always shown in Unified Folders mode (bmo#1838672) * fixed: Middle-clicking a folder or message did not open it in a background tab, as in previous versions (bmo#1842482) * fixed: Settings tab visual improvements: Advanced Fonts dialog, Section headers hidden behind search box (bmo#1717382,bmo#1846751) * fixed: Various visual and style fixes (bmo#1843707,bmo#1849823) Mozilla Thunderbird 115.2 * new: Thunderbird MSIX packages are now published on archive.mozilla.org (bmo#1817657) * changed: Size, Unread, and Total columns are now right- aligned (bmo#1848604) * changed: Newsgroup names in message list header are now abbreviated (bmo#1833298) * fixed: Message compose window did not apply theme colors to menus (bmo#1845699) * fixed: Reading the second new message in a folder cleared the unread indicator of all other new messages (bmo#1839805) * fixed: Displayed counts of unread or flagged messages could become out-of-sync (bmo#1846860) * fixed: Deleting a message from the context menu with messages sorted in chronological order and smooth scroll enabled caused message list to scroll to top (bmo#1843462) * fixed: Repeatedly switching accounts in Subscribe dialog caused tree view to stop updating (bmo#1845593) * fixed: "Ignore thread" caused message cards to display incorrectly in message list (bmo#1847966) * fixed: Creating tags from unified toolbar failed (bmo#1846336) * fixed: Cross-folder navigation using F and N did not work (bmo#1845011) * fixed: Account Manager did not resize to fit content, causing "Close" button to become hidden outside bounds of dialog when too many accounts were listed (bmo#1847555) * fixed: Remote content exceptions could not be added in Settings (bmo#1847576) * fixed: Newsgroup list file did not get updated after adding a new NNTP server (bmo#1845464) * fixed: "Download all headers" option in NNTP "Download Headers" dialog was incorrectly selected by default (bmo#1845457) * fixed: "Convert to event/task" was missing from mail context menu (bmo#1817705) * fixed: Events and tasks were not shown in some cases despite being present on remote server (bmo#1827100) * fixed: Various visual and UX improvements (bmo#1844244,bmo#1845645) * Mozilla Thunderbird 115.1.1 * fixed: Some HTML emails printed headers on first page and message on subsequent pages (bmo#1843628) * fixed: Deleting messages from message list sometimes scrolled list to bottom, selecting bottommost message (bmo#1835173) * fixed: Width of icon columns (like Junk or Starred) in message list did not adjust when UI density was changed (bmo#1843014) * fixed: Old OpenPGP secret keys could not be used to decrypt messages under certain circumstances (bmo#1835786) * fixed: When multiple folder modes were active, tab focus navigated through all folder mode options before reaching message list (bmo#1842060) * fixed: Unread message count badge was not displayed on parent folders of subfolder containing unread messages (bmo#1844534) * fixed: "Undo archive" (via Ctrl-Z) did not un-archive previously archived messages (bmo#1829340) * fixed: "New" button dropdown menu in "Message Filters" dialog could not be opened via keyboard navigation (bmo#1843511) * fixed: "Show New Mail Alert for" input field in "Customize New Mail Alert" dialog had zero width when using certain language packs (bmo#1845832) * fixed: "Account Wizard" dialog was too narrow when adding a news server, partially hiding confirmation buttons (bmo#1846588) * fixed: Link Properties and Image Properties dialogs in the composer were too wide (bmo#1816850) * fixed: Thunderbird version number and details in "About" dialog were not automatically read by screen readers when first opening dialog (bmo#1847078) * fixed: Flatpak improvements and bug fixes (bmo#1825399,bmo#1843094,bmo#1843097) * fixed: Various visual and UX improvements (bmo#1846262) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Workstation Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2023-3664=1 * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-3664=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-3664=1 * SUSE Package Hub 15 15-SP4 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-3664=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-3664=1 * SUSE Linux Enterprise Workstation Extension 15 SP4 zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2023-3664=1 ## Package List: * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 * SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 * SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64) * MozillaThunderbird-debuginfo-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-common-115.2.2-150200.8.130.1 * MozillaThunderbird-115.2.2-150200.8.130.1 * MozillaThunderbird-debugsource-115.2.2-150200.8.130.1 * MozillaThunderbird-translations-other-115.2.2-150200.8.130.1 ## References: * https://www.suse.com/security/cve/CVE-2023-4051.html * https://www.suse.com/security/cve/CVE-2023-4053.html * https://www.suse.com/security/cve/CVE-2023-4573.html * https://www.suse.com/security/cve/CVE-2023-4574.html * https://www.suse.com/security/cve/CVE-2023-4575.html * https://www.suse.com/security/cve/CVE-2023-4576.html * https://www.suse.com/security/cve/CVE-2023-4577.html * https://www.suse.com/security/cve/CVE-2023-4578.html * https://www.suse.com/security/cve/CVE-2023-4580.html * https://www.suse.com/security/cve/CVE-2023-4581.html * https://www.suse.com/security/cve/CVE-2023-4582.html * https://www.suse.com/security/cve/CVE-2023-4583.html * https://www.suse.com/security/cve/CVE-2023-4584.html * https://www.suse.com/security/cve/CVE-2023-4585.html * https://www.suse.com/security/cve/CVE-2023-4863.html * https://bugzilla.suse.com/show_bug.cgi?id=1214606 * https://bugzilla.suse.com/show_bug.cgi?id=1215231 * https://bugzilla.suse.com/show_bug.cgi?id=1215245