SUSE 5055 Published by

A MozillaThunderbird security update has been released for SUSE Linux Enterprise and openSUSE Leap 15.3/15.4.

SUSE-SU-2022:4085-1: important: Security update for MozillaThunderbird

SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________

Announcement ID: SUSE-SU-2022:4085-1
Rating: important
References: #1204421 #1205270
Cross-References: CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932 CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421
CVSS scores:
CVE-2022-42927 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-42928 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-42929 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-42932 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP3SUSE Linux Enterprise Server for SAP Applications 15-SP4SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP4 SUSE Manager Proxy 4.2
SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.2
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.2
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4

An update that fixes 17 vulnerabilities is now available.

This update for MozillaThunderbird fixes the following issues:
- Fixed various security issues (MFSA 2022-49, bsc#1205270): * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn
over browser UI
* CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside
the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5

- Fixed various security issues: (MFSA 2022-46, bsc#1204421): * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4

- Mozilla Thunderbird 102.5
* changed: `Ctrl+N` shortcut to create new contacts from address book restored (bmo#1751288)
* fixed: Account Settings UI did not update to reflect default identitychanges (bmo#1782646)
* fixed: New POP mail notifications were incorrectly shown for messagesmarked by filters as read or junk (bmo#1787531)
* fixed: Connecting to an IMAP server configured to use `PREAUTH` caused
Thunderbird to hang (bmo#1798161)
* fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281)
* fixed: News messages sent using "Send Later" failed to send after going back online (bmo#1794997)
* fixed: "Download/Sync Now..." did not completely sync all newsgroups before going offline (bmo#1795547)
* fixed: Username was missing from error dialog on failed login to newsserver (bmo#1796964)
* fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775)
* fixed: Add-on "Contribute" button in Add-ons Manager did not work (bmo#1795751)
* fixed: Help text for `/part` Matrix command was incorrect (bmo#1795578)
* fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927)
- Mozilla Thunderbird 102.4.2
* changed: "Address Book" button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903) * fixed: Messages fetched from POP server in `Fetch headers only` mode disappeared when moved to different folder by filter action
* fixed: Thunderbird re-downloaded locally deleted messages from a POP server when "Leave messages on server" and "Until I delete them" wereenabled (bmo#1796903)
* fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920)
* fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599)
* fixed: Retrieving passwords for authenticated NNTP accounts could fail
due to obsolete preferences in a users profile on every startup (bmo#1770594)
* fixed: `Get Next n Messages` did not consistently fetch all messages requested from NNTP server (bmo#1794185)
* fixed: `Get Messages` button unable to fetch messages from NNTP server
if root folder not selected (bmo#1792362)
* fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199)
* fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264)
* fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306)
* fixed: "Today" highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176)

- Mozilla Thunderbird 102.4.1
* new: Thunderbird will now catch and report errors parsing vCards thatcontain incorrectly formatted dates (bmo#1793415)
* fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289)
* fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716)
* fixed: `-remote` command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323)
* fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805)
* fixed: VCards with nickname field set could not be edited (bmo#1793877)
* fixed: Some recurring events were missing from Agenda on first load (bmo#1771168)
* fixed: Download requests for remote ICS calendars incorrectly set "Accept" header to text/xml (bmo#1793757)
* fixed: Monthly events created on the 31st of a month with