SUSE-SU-2022:4085-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20224085-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:4085-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:4085-1
Related
Published
2022-11-18T15:39:11Z
Modified
2022-11-18T15:39:11Z
Summary
Security update for MozillaThunderbird
Details

This update for MozillaThunderbird fixes the following issues:

  • Fixed various security issues (MFSA 2022-49, bsc#1205270):

    • CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
    • CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
    • CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
    • CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
    • CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
    • CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
    • CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
    • CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
    • CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
    • CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
    • CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
    • CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
    • CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5
  • Fixed various security issues: (MFSA 2022-46, bsc#1204421):

    • CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
    • CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
    • CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
    • CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4
  • Mozilla Thunderbird 102.5

    • changed: Ctrl+N shortcut to create new contacts from address book restored (bmo#1751288)
    • fixed: Account Settings UI did not update to reflect default identity changes (bmo#1782646)
    • fixed: New POP mail notifications were incorrectly shown for messages marked by filters as read or junk (bmo#1787531)
    • fixed: Connecting to an IMAP server configured to use PREAUTH caused Thunderbird to hang (bmo#1798161)
    • fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281)
    • fixed: News messages sent using 'Send Later' failed to send after going back online (bmo#1794997)
    • fixed: 'Download/Sync Now...' did not completely sync all newsgroups before going offline (bmo#1795547)
    • fixed: Username was missing from error dialog on failed login to news server (bmo#1796964)
    • fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775)
    • fixed: Add-on 'Contribute' button in Add-ons Manager did not work (bmo#1795751)
    • fixed: Help text for /part Matrix command was incorrect (bmo#1795578)
    • fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927)
  • Mozilla Thunderbird 102.4.2

    • changed: 'Address Book' button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903)
    • fixed: Messages fetched from POP server in Fetch headers only mode disappeared when moved to different folder by filter action (bmo#1793374)
    • fixed: Thunderbird re-downloaded locally deleted messages from a POP server when 'Leave messages on server' and 'Until I delete them' were enabled (bmo#1796903)
    • fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920)
    • fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599)
    • fixed: Retrieving passwords for authenticated NNTP accounts could fail due to obsolete preferences in a users profile on every startup (bmo#1770594)
    • fixed: Get Next n Messages did not consistently fetch all messages requested from NNTP server (bmo#1794185)
    • fixed: Get Messages button unable to fetch messages from NNTP server if root folder not selected (bmo#1792362)
    • fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199)
    • fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264)
    • fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306)
    • fixed: 'Today' highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176)
  • Mozilla Thunderbird 102.4.1

    • new: Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates (bmo#1793415)
    • fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289)
    • fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716)
    • fixed: -remote command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323)
    • fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805)
    • fixed: VCards with nickname field set could not be edited (bmo#1793877)
    • fixed: Some recurring events were missing from Agenda on first load (bmo#1771168)
    • fixed: Download requests for remote ICS calendars incorrectly set 'Accept' header to text/xml (bmo#1793757)
    • fixed: Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month (bmo#1266797)
    • fixed: Various visual and UX improvements (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)

    • changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 (bmo#1790610)

    • fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze (bmo#1792675)
    • fixed: Forwarding messages with special characters in Subject failed on Windows (bmo#1782173)
    • fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters (bmo#1789589)
    • fixed: Address Book display pane continued to show contacts after deletion (bmo#1777808)
    • fixed: Printing address book did not include all contact details (bmo#1782076)
    • fixed: CardDAV contacts without a Name property did not save to Google Contacts (bmo#1792101)
    • fixed: 'Publish Calendar' did not work (bmo#1794471)
    • fixed: Calendar database storage improvements (bmo#1792124)
    • fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar (bmo#1792923)
    • fixed: Various visual and UX improvements (bmo#1776093,bmo#17 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)
References

Affected packages

SUSE:Linux Enterprise Module for Package Hub 15 SP3 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP4 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP3 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP4 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}

openSUSE:Leap 15.3 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}

openSUSE:Leap 15.4 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
102.5.0-150200.8.90.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-other": "102.5.0-150200.8.90.1",
            "MozillaThunderbird-translations-common": "102.5.0-150200.8.90.1"
        }
    ]
}