SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:4085-1 Rating: important References: #1204421 #1205270 Cross-References: CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932 CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421 CVSS scores: CVE-2022-42927 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-42928 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-42929 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-42932 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP4 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.2 SUSE Manager Server 4.3 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Fixed various security issues (MFSA 2022-49, bsc#1205270): * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5 - Fixed various security issues: (MFSA 2022-46, bsc#1204421): * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4 - Mozilla Thunderbird 102.5 * changed: `Ctrl+N` shortcut to create new contacts from address book restored (bmo#1751288) * fixed: Account Settings UI did not update to reflect default identity changes (bmo#1782646) * fixed: New POP mail notifications were incorrectly shown for messages marked by filters as read or junk (bmo#1787531) * fixed: Connecting to an IMAP server configured to use `PREAUTH` caused Thunderbird to hang (bmo#1798161) * fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281) * fixed: News messages sent using "Send Later" failed to send after going back online (bmo#1794997) * fixed: "Download/Sync Now..." did not completely sync all newsgroups before going offline (bmo#1795547) * fixed: Username was missing from error dialog on failed login to news server (bmo#1796964) * fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775) * fixed: Add-on "Contribute" button in Add-ons Manager did not work (bmo#1795751) * fixed: Help text for `/part` Matrix command was incorrect (bmo#1795578) * fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927) - Mozilla Thunderbird 102.4.2 * changed: "Address Book" button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903) * fixed: Messages fetched from POP server in `Fetch headers only` mode disappeared when moved to different folder by filter action (bmo#1793374) * fixed: Thunderbird re-downloaded locally deleted messages from a POP server when "Leave messages on server" and "Until I delete them" were enabled (bmo#1796903) * fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920) * fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599) * fixed: Retrieving passwords for authenticated NNTP accounts could fail due to obsolete preferences in a users profile on every startup (bmo#1770594) * fixed: `Get Next n Messages` did not consistently fetch all messages requested from NNTP server (bmo#1794185) * fixed: `Get Messages` button unable to fetch messages from NNTP server if root folder not selected (bmo#1792362) * fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199) * fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264) * fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306) * fixed: "Today" highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176) - Mozilla Thunderbird 102.4.1 * new: Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates (bmo#1793415) * fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289) * fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716) * fixed: `-remote` command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323) * fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805) * fixed: VCards with nickname field set could not be edited (bmo#1793877) * fixed: Some recurring events were missing from Agenda on first load (bmo#1771168) * fixed: Download requests for remote ICS calendars incorrectly set "Accept" header to text/xml (bmo#1793757) * fixed: Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month (bmo#1266797) * fixed: Various visual and UX improvements (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399) * changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 (bmo#1790610) * fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze (bmo#1792675) * fixed: Forwarding messages with special characters in Subject failed on Windows (bmo#1782173) * fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters (bmo#1789589) * fixed: Address Book display pane continued to show contacts after deletion (bmo#1777808) * fixed: Printing address book did not include all contact details (bmo#1782076) * fixed: CardDAV contacts without a Name property did not save to Google Contacts (bmo#1792101) * fixed: "Publish Calendar" did not work (bmo#1794471) * fixed: Calendar database storage improvements (bmo#1792124) * fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar (bmo#1792923) * fixed: Various visual and UX improvements (bmo#1776093,bmo#17 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-4085=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-4085=1 - SUSE Linux Enterprise Workstation Extension 15-SP4: zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-4085=1 - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-4085=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4085=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-4085=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x): MozillaThunderbird-102.5.0-150200.8.90.1 MozillaThunderbird-debuginfo-102.5.0-150200.8.90.1 MozillaThunderbird-debugsource-102.5.0-150200.8.90.1 MozillaThunderbird-translations-common-102.5.0-150200.8.90.1 MozillaThunderbird-translations-other-102.5.0-150200.8.90.1 References: https://www.suse.com/security/cve/CVE-2022-42927.html https://www.suse.com/security/cve/CVE-2022-42928.html https://www.suse.com/security/cve/CVE-2022-42929.html https://www.suse.com/security/cve/CVE-2022-42932.html https://www.suse.com/security/cve/CVE-2022-45403.html https://www.suse.com/security/cve/CVE-2022-45404.html https://www.suse.com/security/cve/CVE-2022-45405.html https://www.suse.com/security/cve/CVE-2022-45406.html https://www.suse.com/security/cve/CVE-2022-45408.html https://www.suse.com/security/cve/CVE-2022-45409.html https://www.suse.com/security/cve/CVE-2022-45410.html https://www.suse.com/security/cve/CVE-2022-45411.html https://www.suse.com/security/cve/CVE-2022-45412.html https://www.suse.com/security/cve/CVE-2022-45416.html https://www.suse.com/security/cve/CVE-2022-45418.html https://www.suse.com/security/cve/CVE-2022-45420.html https://www.suse.com/security/cve/CVE-2022-45421.html https://bugzilla.suse.com/1204421 https://bugzilla.suse.com/1205270