10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
An update that fixes 33 vulnerabilities is now available.
Description:
This update for MozillaThunderbird fixes the following issues:
Update to version 91.4 MFSA 2021-54 (bsc#1193485)
CVE-2021-43536: URL leakage when navigating while executing asynchronous
function
CVE-2021-43537: Heap buffer overflow when using structured clone
CVE-2021-43538: Missing fullscreen and pointer lock notification when
requesting both
CVE-2021-43539: GC rooting failure when calling wasm instance methods
CVE-2021-43541: External protocol handler parameters were unescaped
CVE-2021-43542: XMLHttpRequest error codes could have leaked the
existence of an external protocol handler
CVE-2021-43543: Bypass of CSP sandbox directive when embedding
CVE-2021-43545: Denial of Service when using the Location API in a loop
CVE-2021-43546: Cursor spoofing could overlay user interface when native
cursor is zoomed
CVE-2021-43528: JavaScript unexpectedly enabled for the composition area
Update to version 91.3.2
CVE-2021-40529: Fixed ElGamal implementation could allow plaintext
recovery (bsc#1190244)
Update to version 91.3 MFSA 2021-50 (bsc#1192250)
CVE-2021-38503: Fixed iframe sandbox rules did not apply to XSLT
stylesheets
CVE-2021-38504: Fixed use-after-free in file picker dialog
CVE-2021-38505: Fixed Windows 10 Cloud Clipboard may have recorded
sensitive user data
CVE-2021-38506: Fixed Thunderbird could be coaxed into going into
fullscreen mode without notification or warning
CVE-2021-38507: Fixed opportunistic Encryption in HTTP2 could be used to
bypass the Same-Origin-Policy on services hosted on other ports
CVE-2021-38508: Fixed permission Prompt could be overlaid, resulting in
user confusion and potential spoofing
CVE-2021-38509: Fixed Javascript alert box could have been spoofed onto
an arbitrary domain
CVE-2021-38510: Fixed Download Protections were bypassed by .inetloc
files on Mac OS
Fixed plain text reformatting regression (bsc#1182863)
Update to version 91.2 MFSA 2021-47 (bsc#1191332)
CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
CVE-2021-29982: Single bit data leak due to incorrect JIT optimization
and type confusion
CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
CVE-2021-32810: Data race in crossbeam-deque
CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and
Thunderbird 91.1
CVE-2021-38496: Use-after-free in MessageTask
CVE-2021-38497: Validation message could have been overlaid on another
origin
CVE-2021-38498: Use-after-free of nsLanguageAtomService object
CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections
Update to version 91.1.0 MFSA 2021-41 (bsc#1190269)
CVE-2021-38492: Navigating to mk:
URL scheme could load Internet
Explorer
CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1
Update to version 91.0.1 MFSA 2021-37 (bsc#1189547)
CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-4150=1
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE Leap | 15.3 | aarch64 | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm | |
openSUSE Leap | 15.3 | ppc64le | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm | |
openSUSE Leap | 15.3 | s390x | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm | |
openSUSE Leap | 15.3 | x86_64 | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P