SUSE-SU-2022:4085-1

This update for MozillaThunderbird fixes the following issues:

• Fixed various security issues (MFSA 2022-49, bsc#1205270):

  • CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
  • CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
  • CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
  • CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
  • CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
  • CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
  • CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
  • CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
  • CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
  • CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
  • CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
  • CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
  • CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5

• Fixed various security issues: (MFSA 2022-46, bsc#1204421):

  • CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
  • CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
  • CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
  • CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4

• Mozilla Thunderbird 102.5

  • changed: Ctrl+N shortcut to create new contacts from address book restored (bmo#1751288)
  • fixed: Account Settings UI did not update to reflect default identity changes (bmo#1782646)
  • fixed: New POP mail notifications were incorrectly shown for messages marked by filters as read or junk (bmo#1787531)
  • fixed: Connecting to an IMAP server configured to use PREAUTH caused Thunderbird to hang (bmo#1798161)
  • fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281)
  • fixed: News messages sent using 'Send Later' failed to send after going back online (bmo#1794997)
  • fixed: 'Download/Sync Now...' did not completely sync all newsgroups before going offline (bmo#1795547)
  • fixed: Username was missing from error dialog on failed login to news server (bmo#1796964)
  • fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775)
  • fixed: Add-on 'Contribute' button in Add-ons Manager did not work (bmo#1795751)
  • fixed: Help text for /part Matrix command was incorrect (bmo#1795578)
  • fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927)

• Mozilla Thunderbird 102.4.2

  • changed: 'Address Book' button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903)
  • fixed: Messages fetched from POP server in Fetch headers only mode disappeared when moved to different folder by filter action (bmo#1793374)
  • fixed: Thunderbird re-downloaded locally deleted messages from a POP server when 'Leave messages on server' and 'Until I delete them' were enabled (bmo#1796903)
  • fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920)
  • fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599)
  • fixed: Retrieving passwords for authenticated NNTP accounts could fail due to obsolete preferences in a users profile on every startup (bmo#1770594)
  • fixed: Get Next n Messages did not consistently fetch all messages requested from NNTP server (bmo#1794185)
  • fixed: Get Messages button unable to fetch messages from NNTP server if root folder not selected (bmo#1792362)
  • fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199)
  • fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264)
  • fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306)
  • fixed: 'Today' highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176)

• Mozilla Thunderbird 102.4.1

  • new: Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates (bmo#1793415)
  • fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289)
  • fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716)
  • fixed: -remote command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323)
  • fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805)
  • fixed: VCards with nickname field set could not be edited (bmo#1793877)
  • fixed: Some recurring events were missing from Agenda on first load (bmo#1771168)
  • fixed: Download requests for remote ICS calendars incorrectly set 'Accept' header to text/xml (bmo#1793757)
  • fixed: Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month (bmo#1266797)

  • fixed: Various visual and UX improvements (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)

  • changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 (bmo#1790610)

  • fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze (bmo#1792675)
  • fixed: Forwarding messages with special characters in Subject failed on Windows (bmo#1782173)
  • fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters (bmo#1789589)
  • fixed: Address Book display pane continued to show contacts after deletion (bmo#1777808)
  • fixed: Printing address book did not include all contact details (bmo#1782076)
  • fixed: CardDAV contacts without a Name property did not save to Google Contacts (bmo#1792101)
  • fixed: 'Publish Calendar' did not work (bmo#1794471)
  • fixed: Calendar database storage improvements (bmo#1792124)
  • fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar (bmo#1792923)
  • fixed: Various visual and UX improvements (bmo#1776093,bmo#17 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)