Lucene search

K
suseSuseSUSE-SU-2022:3800-1
HistoryOct 27, 2022 - 12:00 a.m.

Security update for MozillaThunderbird (important)

2022-10-2700:00:00
lists.opensuse.org
24
mozillathunderbird
update
vulnerabilities
openpgp
pop
forwarding messages
address book
carddav
caldav
calendar
performance
recurring event
security

EPSS

0.002

Percentile

61.2%

An update that fixes 12 vulnerabilities is now available.

Description:

This update for MozillaThunderbird fixes the following issues:

  • Mozilla Thunderbird 102.4.0 (bsc#1204421)
    • changed: Thunderbird will automatically detect and repair OpenPGP key
      storage corruption caused by using the profile import tool in
      Thunderbird 102
    • fixed: POP message download into a large folder (~13000 messages)
      caused Thunderbird to temporarily freeze
    • fixed: Forwarding messages with special characters in Subject failed
      on Windows
    • fixed: Links for FileLink attachments were not added when attachment
      filename contained Unicode characters
    • fixed: Address Book display pane continued to show contacts after
      deletion
    • fixed: Printing address book did not include all contact details
    • fixed: CardDAV contacts without a Name property did not save to Google
      Contacts
    • fixed: “Publish Calendar” did not work
    • fixed: Calendar database storage improvements
    • fixed: Incorrectly handled error responses from CalDAV servers
      sometimes caused events to disappear from calendar
    • fixed: Various visual and UX improvements
  • Mozilla Thunderbird 102.3.3
    • new: Option added to show containing address book for a contact when
      using All Address Books in vertical mode (bmo#1778871)
    • changed: Thunderbird will try to use POP NTLM authentication even if
      not advertised by server (bmo#1793349)
    • changed: Task List and Today Pane sidebars will no longer load when
      not visible (bmo#1788549)
    • fixed: Sending a message while a recipient pill was being modified did
      not save changes (bmo#1779785)
    • fixed: Nickname column was not available in horizontal view
      of Address Book (bmo#1778000)
    • fixed: Multiline organization values were displayed across two columns
      in horizontal view of Address Book (bmo#1777780)
    • fixed: Contact vCard fields with multiple values such as Categories
      were truncated when saved (bmo#1792399)
    • fixed: ICS calendar files with a FREEBUSY property could not be
      imported (bmo#1783441)
    • fixed: Thunderbird would hang if calendar event exceeded the year 2035
      (bmo#1789999)
  • Mozilla Thunderbird 102.3.2
    • changed: Thunderbird will try to use POP CRAM-MD5 authentication even
      if not advertised by server (bmo#1789975)
    • fixed: Checking messages on POP3 accounts caused POP folder to lock if
      mail server was slow or non-responsive (bmo#1792451)
    • fixed: Newsgroups named with consecutive dots would not appear when
      refreshing list of newsgroups (bmo#1787789)
    • fixed: Sending news articles containing lines starting with dot were
      sometimes clipped (bmo#1787955)
    • fixed: CardDAV server sync silently failed if sync token expired
      (bmo#1791183)
    • fixed: Contacts from LDAP on macOS address books were not displayed
      (bmo#1791347)
    • fixed: Chat account input now accepts URIs for supported chat
      protocols (bmo#1776706)
    • fixed: Chat ScreenName field was not migrated to new address book
      (bmo#1789990)
    • fixed: Creating a New Event from the Today Pane used the currently
      selected day from the main calendar instead of from the Today Pane
      (bmo#1791203)
    • fixed: New Event button in Today Pane was incorrectly disabled
      sometimes (bmo#1792058)
    • fixed: Event reminder windows did not close after being dismissed or
      snoozed (bmo#1791228)
    • fixed: Improved performance of recurring event date calculation
      (bmo#1787677)
    • fixed: Quarterly calendar events on the last day of the month repeated
      one month early (bmo#1789362)
    • fixed: Thunderbird would hang if calendar event exceeded the year 2035
      (bmo#1789999)
    • fixed: Whitespace in calendar events was incorrectly handled when
      upgrading from Thunderbird 91 to 102 (bmo#1790339)
    • fixed: Various visual and UX improvements (bmo#1755623,bmo#17
      83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178
      9728,bmo#1790499)
  • Mozilla Thunderbird 102.3.1
    • changed: Compose window encryption options now only appear for
      encryption technologies that have already been configured (bmo#1788988)
    • changed: Number of contacts in currently selected address book now
      displayed at bottom of Address Book list column (bmo#1745571)
    • fixed: Password prompt did not include server hostname for POP servers
      (bmo#1786920)
    • fixed: Edit Contact was missing from Contacts sidebar context menus
      (bmo#1771795)
    • fixed: Address Book contact lists cut off display of some characters,
      the result being unreadable (bmo#1780909)
    • fixed: Menu items for dark-themed alarm dialog were invisible
      on Windows 7 (bmo#1791738)
    • fixed: Various security fixes MFSA 2022-43 (bsc#1204411)
    • CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird
      vulnerable to an impersonation attack by malicious server
      administrators
    • CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird
      vulnerable to a device verification attack
    • CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird
      vulnerable to an impersonation attack
    • CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird
      vulnerable to a data corruption issue
  • Mozilla Thunderbird 102.3
    • changed: Thunderbird will no longer attempt to import account
      passwords when importing from another Thunderbird profile in
      order to prevent profile corruption and permanent data loss.
      (bmo#1790605)
    • changed: Devtools performance profile will use Thunderbird presets
      instead of Web Developer presets (bmo#1785954)
    • fixed: Thunderbird startup performance improvements (bmo#1785967)
    • fixed: Saving email source and images failed (bmo#1777323,bmo#1778804)
    • fixed: Error message was shown repeatedly when temporary disk space
      was full (bmo#1788580)
    • fixed: Attaching OpenPGP keys without a set size to non- encrypted
      messages briefly displayed a size of zero bytes (bmo#1788952)
    • fixed: Global Search entry box initially contained “undefined”
      (bmo#1780963)
    • fixed: Delete from POP Server mail filter rule intermittently failed
      to trigger (bmo#1789418)
    • fixed: Connections to POP3 servers without UIDL support failed
      (bmo#1789314)
    • fixed: Pop accounts with “Fetch headers only” set downloaded complete
      messages if server did not advertise TOP capability (bmo#1789356)
    • fixed: “File -> New -> Address Book Contact” from Compose window did
      not work (bmo#1782418)
    • fixed: Attach “My vCard” option in compose window was not available
      (bmo#1787614)
    • fixed: Improved performance of matching a contact to an email address
      (bmo#1782725)
    • fixed: Address book only recognized a contact’s first two email
      addresses (bmo#1777156)
    • fixed: Address book search and autocomplete failed if a contact vCard
      could not be parsed (bmo#1789793)
    • fixed: Downloading NNTP messages for offline use failed (bmo#1785773)
    • fixed: NNTP client became stuck when connecting to Public- Inbox
      servers (bmo#1786203)
    • fixed: Various visual and UX improvements
      (bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
    • fixed: Various security fixes
    • unresolved: No dedicated “Department” field in address book
      (bmo#1777780) MFSA 2022-42 (bsc#1203477)
    • CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264
    • CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on
      transient pages
    • CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in
      threads
    • CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for
      cookies with __Host and __Secure prefix
    • CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
    • CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when
      building WASM on ARM64
    • CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS
      could be executed without warning
    • CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109,
      bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4:

    zypper in -t patch openSUSE-SLE-15.4-2022-3800=1

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2022-3800=1

  • SUSE Linux Enterprise Workstation Extension 15-SP4:

    zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-3800=1

  • SUSE Linux Enterprise Workstation Extension 15-SP3:

    zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-3800=1

  • SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:

    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3800=1

  • SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:

    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3800=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.4aarch64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.4ppc64le< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.4s390x< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.3aarch64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.3ppc64le< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.3s390x< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.3x86_64< - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
SUSE Linux Enterprise Workstation Extension 15SP4x86_64<  SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):- SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64):.x86_64.rpm
SUSE Linux Enterprise Workstation Extension 15SP3x86_64<  SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):- SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):.x86_64.rpm
Rows per page:
1-10 of 161