An update that fixes 23 vulnerabilities is now available.
Description:
This update for MozillaThunderbird fixes the following issues:
Updated to Mozilla Thunderbird 102.2.2:
CVE-2022-3033: Fixed leaking of sensitive information when composing a
response to an HTML email with a META refresh tag (bsc#1203007).
CVE-2022-3032: Fixed missing blocking of remote content specified in an
HTML document that was nested inside an iframe’s srcdoc attribute
(bsc#1203007).
CVE-2022-3034: Fixed issue where iframe element in an HTML email could
trigger a network request (bsc#1203007).
CVE-2022-36059: Fixed DoS in Matrix SDK bundled with Thunderbird service
attack (bsc#1203007).
CVE-2022-38472: Fixed Address bar spoofing via XSLT error handling
(bsc#1202645).
CVE-2022-38473: Fixed cross-origin XSLT Documents inheriting the
parent’s permissions (bsc#1202645).
CVE-2022-38476: Fixed data race and potential use-after-free in
PK11_ChangePW (bsc#1202645).
CVE-2022-38477: Fixed memory safety bugs (bsc#1202645).
CVE-2022-38478: Fixed memory safety bugs (bsc#1202645).
CVE-2022-36319: Fixed mouse position spoofing with CSS transforms
(bsc#1201758).
CVE-2022-36318: Fixed directory indexes for bundled resources reflected
URL parameters (bsc#1201758).
CVE-2022-36314: Fixed unexpected network loads when opening local .lnk
files (bsc#1201758).
CVE-2022-2505: Fixed memory safety bugs (bsc#1201758).
CVE-2022-34479: Fixed vulnerability which could overlay the address bar
with web content (bsc#1200793).
CVE-2022-34470: Fixed use-after-free in nsSHistory (bsc#1200793).
CVE-2022-34468: Fixed CSP sandbox header without allow-scripts
bypass
via retargeted javascript (bsc#1200793).
CVE-2022-2226: Fixed emails with a mismatching OpenPGP signature date
incorrectly accepted as valid (bsc#1200793).
CVE-2022-34481: Fixed integer overflow in ReplaceElementsAt
(bsc#1200793).
CVE-2022-31744: Fixed CSP bypass enabling stylesheet injection
(bsc#1200793).
CVE-2022-34472: Fixed unavailable PAC file resulting in OCSP requests
being blocked (bsc#1200793).
CVE-2022-34478: Fixed Microsoft protocols attacks if a user accepts a
prompt (bsc#1200793).
CVE-2022-2200: Fixed vulnerability where undesired attributes could be
set as part of prototype pollution (bsc#1200793).
CVE-2022-34484: Fixed memory safety bugs (bsc#1200793).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-3281=1
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-3281=1
SUSE Linux Enterprise Workstation Extension 15-SP4:
zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3281=1
SUSE Linux Enterprise Workstation Extension 15-SP3:
zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3281=1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3281=1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3281=1