Oval Definition:oval:org.opensuse.security:def:70810
Revision Date:2021-12-22Version:1
Title:Security update for MozillaThunderbird (Important)
Description:

This update for MozillaThunderbird fixes the following issues:

- Update to version 91.4 MFSA 2021-54 (bsc#1193485) - CVE-2021-43536: URL leakage when navigating while executing asynchronous function - CVE-2021-43537: Heap buffer overflow when using structured clone - CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both - CVE-2021-43539: GC rooting failure when calling wasm instance methods - CVE-2021-43541: External protocol handler parameters were unescaped - CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler - CVE-2021-43543: Bypass of CSP sandbox directive when embedding - CVE-2021-43545: Denial of Service when using the Location API in a loop - CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed - CVE-2021-43528: JavaScript unexpectedly enabled for the composition area

- Update to version 91.3.2 - CVE-2021-40529: Fixed ElGamal implementation could allow plaintext recovery (bsc#1190244)

- Update to version 91.3 MFSA 2021-50 (bsc#1192250) - CVE-2021-38503: Fixed iframe sandbox rules did not apply to XSLT stylesheets - CVE-2021-38504: Fixed use-after-free in file picker dialog - CVE-2021-38505: Fixed Windows 10 Cloud Clipboard may have recorded sensitive user data - CVE-2021-38506: Fixed Thunderbird could be coaxed into going into fullscreen mode without notification or warning - CVE-2021-38507: Fixed opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports - CVE-2021-38508: Fixed permission Prompt could be overlaid, resulting in user confusion and potential spoofing - CVE-2021-38509: Fixed Javascript alert box could have been spoofed onto an arbitrary domain - CVE-2021-38510: Fixed Download Protections were bypassed by .inetloc files on Mac OS - Fixed plain text reformatting regression (bsc#1182863)

- Update to version 91.2 MFSA 2021-47 (bsc#1191332) - CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT - CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion - CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux - CVE-2021-32810: Data race in crossbeam-deque - CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and Thunderbird 91.1 - CVE-2021-38496: Use-after-free in MessageTask - CVE-2021-38497: Validation message could have been overlaid on another origin - CVE-2021-38498: Use-after-free of nsLanguageAtomService object - CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2 - CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2 - CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections

- Update to version 91.1.0 MFSA 2021-41 (bsc#1190269) - CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer - CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1

- Update to version 91.0.1 MFSA 2021-37 (bsc#1189547) - CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
Family:unixClass:patch
Status:Reference(s):1174052
1175070
1175071
1175074
1182863
1189547
1190244
1190269
1191332
1192250
1193485
CVE-2016-5180
CVE-2017-1000381
CVE-2020-11984
CVE-2020-11993
CVE-2020-9490
CVE-2021-29981
CVE-2021-29982
CVE-2021-29987
CVE-2021-29991
CVE-2021-32810
CVE-2021-38492
CVE-2021-38493
CVE-2021-38495
CVE-2021-38496
CVE-2021-38497
CVE-2021-38498
CVE-2021-38500
CVE-2021-38501
CVE-2021-38502
CVE-2021-38503
CVE-2021-38504
CVE-2021-38505
CVE-2021-38506
CVE-2021-38507
CVE-2021-38508
CVE-2021-38509
CVE-2021-38510
CVE-2021-40529
CVE-2021-43528
CVE-2021-43536
CVE-2021-43537
CVE-2021-43538
CVE-2021-43539
CVE-2021-43541
CVE-2021-43542
CVE-2021-43543
CVE-2021-43545
CVE-2021-43546
SUSE-SU-2020:2311-1
SUSE-SU-2021:4150-1
Platform(s):SUSE Linux Enterprise Desktop 15 SP2
SUSE Linux Enterprise Module for Basesystem 15 SP1
SUSE Linux Enterprise Module for Server Applications 15 SP2
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Linux Enterprise Workstation Extension 15 SP2
Product(s):
Definition Synopsis
  • SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed
  • AND Package Information
  • c-ares-devel-1.14.0-1 is installed
  • OR libcares2-1.14.0-1 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Module for Server Applications 15 SP2 is installed
  • AND Package Information
  • apache2-2.4.43-3.5 is installed
  • OR apache2-devel-2.4.43-3.5 is installed
  • OR apache2-doc-2.4.43-3.5 is installed
  • OR apache2-worker-2.4.43-3.5 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Workstation Extension 15 SP2 is installed
  • AND Package Information
  • MozillaThunderbird-91.4.0-8.45.2 is installed
  • OR MozillaThunderbird-translations-common-91.4.0-8.45.2 is installed
  • OR MozillaThunderbird-translations-other-91.4.0-8.45.2 is installed
    • BACK