Lucene search

K
suseSuseSUSE-SU-2022:3281-1
HistorySep 15, 2022 - 12:00 a.m.

Security update for MozillaThunderbird (important)

2022-09-1500:00:00
lists.opensuse.org
30
mozillathunderbird
security update
23 vulnerabilities
network request
memory safety bugs
css transforms
cross-origin xslt
directory indexes
openpgp signature date
remote content
protocol attacks
prototype pollution
suse linux enterprise
patch instruction

EPSS

0.003

Percentile

71.8%

An update that fixes 23 vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

Updated to Mozilla Thunderbird 102.2.2:

  • CVE-2022-3033: Fixed leaking of sensitive information when composing a
    response to an HTML email with a META refresh tag (bsc#1203007).

  • CVE-2022-3032: Fixed missing blocking of remote content specified in an
    HTML document that was nested inside an iframe’s srcdoc attribute
    (bsc#1203007).

  • CVE-2022-3034: Fixed issue where iframe element in an HTML email could
    trigger a network request (bsc#1203007).

  • CVE-2022-36059: Fixed DoS in Matrix SDK bundled with Thunderbird service
    attack (bsc#1203007).

  • CVE-2022-38472: Fixed Address bar spoofing via XSLT error handling
    (bsc#1202645).

  • CVE-2022-38473: Fixed cross-origin XSLT Documents inheriting the
    parent’s permissions (bsc#1202645).

  • CVE-2022-38476: Fixed data race and potential use-after-free in
    PK11_ChangePW (bsc#1202645).

  • CVE-2022-38477: Fixed memory safety bugs (bsc#1202645).

  • CVE-2022-38478: Fixed memory safety bugs (bsc#1202645).

  • CVE-2022-36319: Fixed mouse position spoofing with CSS transforms
    (bsc#1201758).

  • CVE-2022-36318: Fixed directory indexes for bundled resources reflected
    URL parameters (bsc#1201758).

  • CVE-2022-36314: Fixed unexpected network loads when opening local .lnk
    files (bsc#1201758).

  • CVE-2022-2505: Fixed memory safety bugs (bsc#1201758).

  • CVE-2022-34479: Fixed vulnerability which could overlay the address bar
    with web content (bsc#1200793).

  • CVE-2022-34470: Fixed use-after-free in nsSHistory (bsc#1200793).

  • CVE-2022-34468: Fixed CSP sandbox header without allow-scripts bypass
    via retargeted javascript (bsc#1200793).

  • CVE-2022-2226: Fixed emails with a mismatching OpenPGP signature date
    incorrectly accepted as valid (bsc#1200793).

  • CVE-2022-34481: Fixed integer overflow in ReplaceElementsAt
    (bsc#1200793).

  • CVE-2022-31744: Fixed CSP bypass enabling stylesheet injection
    (bsc#1200793).

  • CVE-2022-34472: Fixed unavailable PAC file resulting in OCSP requests
    being blocked (bsc#1200793).

  • CVE-2022-34478: Fixed Microsoft protocols attacks if a user accepts a
    prompt (bsc#1200793).

  • CVE-2022-2200: Fixed vulnerability where undesired attributes could be
    set as part of prototype pollution (bsc#1200793).

  • CVE-2022-34484: Fixed memory safety bugs (bsc#1200793).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4:

    zypper in -t patch openSUSE-SLE-15.4-2022-3281=1

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2022-3281=1

  • SUSE Linux Enterprise Workstation Extension 15-SP4:

    zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3281=1

  • SUSE Linux Enterprise Workstation Extension 15-SP3:

    zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3281=1

  • SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:

    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3281=1

  • SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:

    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3281=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.4aarch64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.4ppc64le< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.4s390x< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.3aarch64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.3ppc64le< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.3s390x< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
SUSE Linux Enterprise Workstation Extension 15SP4x86_64<  SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):- SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):.x86_64.rpm
SUSE Linux Enterprise Workstation Extension 15SP3x86_64<  SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):- SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):.x86_64.rpm
Rows per page:
1-10 of 161