SUSE Security Update: Security update for MozillaThunderbird
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3528-1
Rating:             important
References:         #1178894 
Cross-References:   CVE-2020-15999 CVE-2020-16012 CVE-2020-26951
                    CVE-2020-26953 CVE-2020-26956 CVE-2020-26958
                    CVE-2020-26959 CVE-2020-26960 CVE-2020-26961
                    CVE-2020-26965 CVE-2020-26966 CVE-2020-26968
                   
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 15-SP2
                    SUSE Linux Enterprise Workstation Extension 15-SP1
______________________________________________________________________________

   An update that fixes 12 vulnerabilities is now available.

Description:

   This update for MozillaThunderbird fixes the following issues:

       TODO
   - Mozilla Thunderbird 78.5.0
     * new: OpenPGP: Added option to disable attaching the public key to a
       signed message (bmo#1654950)
     * new: MailExtensions: "compose_attachments" context added to Menus API
       (bmo#1670822)
     * new: MailExtensions: Menus API now available on displayed messages
       (bmo#1670825)
     * changed: MailExtensions: browser.tabs.create will now wait for
       "mail-delayed-startup-finished" event (bmo#1674407)
     * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851)
     * fixed: OpenPGP: Message security dialog showed unverified keys as
       unavailable (bmo#1675285)
     * fixed: Chat: New chat contact menu item did not function (bmo#1663321)
     * fixed: Various theme and usability improvements (bmo#1673861)
     * fixed: Various security fixes MFSA 2020-52 (bsc#1178894)
     * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and
       bypass security sanitizer for chrome privileged code
     * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin
       images during drawImage calls
     * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without
       displaying the security UI
     * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard
       API)
     * CVE-2020-26958 (bmo#1669355) Requests intercepted through
       ServiceWorkers lacked MIME type restrictions
     * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
     * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of
       nsTArray
     * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
     * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP
       Addresses
     * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered
       typed passwords
     * CVE-2020-26966 (bmo#1663571) Single-word search queries were also
       broadcast to local network
     * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739,
       bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs
       fixed in Thunderbird 78.5

   - Mozilla Thunderbird 78.4.3
     * fixed: User interface was inconsistent when switching from the default
       theme to the dark theme and back to the default theme (bmo#1659282)
     * fixed: Email subject would disappear when hovering over it with the
       mouse when using Windows 7 Classic theme (bmo#1675970)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 15-SP2:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3528=1

   - SUSE Linux Enterprise Workstation Extension 15-SP1:

      zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3528=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64):

      MozillaThunderbird-78.5.0-3.107.1
      MozillaThunderbird-debuginfo-78.5.0-3.107.1
      MozillaThunderbird-debugsource-78.5.0-3.107.1
      MozillaThunderbird-translations-common-78.5.0-3.107.1
      MozillaThunderbird-translations-other-78.5.0-3.107.1

   - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64):

      MozillaThunderbird-78.5.0-3.107.1
      MozillaThunderbird-debuginfo-78.5.0-3.107.1
      MozillaThunderbird-debugsource-78.5.0-3.107.1
      MozillaThunderbird-translations-common-78.5.0-3.107.1
      MozillaThunderbird-translations-other-78.5.0-3.107.1


References:

   https://www.suse.com/security/cve/CVE-2020-15999.html
   https://www.suse.com/security/cve/CVE-2020-16012.html
   https://www.suse.com/security/cve/CVE-2020-26951.html
   https://www.suse.com/security/cve/CVE-2020-26953.html
   https://www.suse.com/security/cve/CVE-2020-26956.html
   https://www.suse.com/security/cve/CVE-2020-26958.html
   https://www.suse.com/security/cve/CVE-2020-26959.html
   https://www.suse.com/security/cve/CVE-2020-26960.html
   https://www.suse.com/security/cve/CVE-2020-26961.html
   https://www.suse.com/security/cve/CVE-2020-26965.html
   https://www.suse.com/security/cve/CVE-2020-26966.html
   https://www.suse.com/security/cve/CVE-2020-26968.html
   https://bugzilla.suse.com/1178894

SUSE: 2020:3528-1 important: MozillaThunderbird

November 26, 2020
An update that fixes 12 vulnerabilities is now available

Summary

This update for MozillaThunderbird fixes the following issues: TODO - Mozilla Thunderbird 78.5.0 * new: OpenPGP: Added option to disable attaching the public key to a signed message (bmo#1654950) * new: MailExtensions: "compose_attachments" context added to Menus API (bmo#1670822) * new: MailExtensions: Menus API now available on displayed messages (bmo#1670825) * changed: MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event (bmo#1674407) * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851) * fixed: OpenPGP: Message security dialog showed unverified keys as unavailable (bmo#1675285) * fixed: Chat: New chat contact menu item did not function (bmo#1663321) * fixed: Various theme and usability improvements (bmo#1673861) * fixed: Various security fixes MFSA 2020-52 (bsc#1178894) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5 - Mozilla Thunderbird 78.4.3 * fixed: User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme (bmo#1659282) * fixed: Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme (bmo#1675970) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3528=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3528=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.5.0-3.107.1 MozillaThunderbird-debuginfo-78.5.0-3.107.1 MozillaThunderbird-debugsource-78.5.0-3.107.1 MozillaThunderbird-translations-common-78.5.0-3.107.1 MozillaThunderbird-translations-other-78.5.0-3.107.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-78.5.0-3.107.1 MozillaThunderbird-debuginfo-78.5.0-3.107.1 MozillaThunderbird-debugsource-78.5.0-3.107.1 MozillaThunderbird-translations-common-78.5.0-3.107.1 MozillaThunderbird-translations-other-78.5.0-3.107.1

References

#1178894

Cross- CVE-2020-15999 CVE-2020-16012 CVE-2020-26951

CVE-2020-26953 CVE-2020-26956 CVE-2020-26958

CVE-2020-26959 CVE-2020-26960 CVE-2020-26961

CVE-2020-26965 CVE-2020-26966 CVE-2020-26968

Affected Products:

SUSE Linux Enterprise Workstation Extension 15-SP2

SUSE Linux Enterprise Workstation Extension 15-SP1

https://www.suse.com/security/cve/CVE-2020-15999.html

https://www.suse.com/security/cve/CVE-2020-16012.html

https://www.suse.com/security/cve/CVE-2020-26951.html

https://www.suse.com/security/cve/CVE-2020-26953.html

https://www.suse.com/security/cve/CVE-2020-26956.html

https://www.suse.com/security/cve/CVE-2020-26958.html

https://www.suse.com/security/cve/CVE-2020-26959.html

https://www.suse.com/security/cve/CVE-2020-26960.html

https://www.suse.com/security/cve/CVE-2020-26961.html

https://www.suse.com/security/cve/CVE-2020-26965.html

https://www.suse.com/security/cve/CVE-2020-26966.html

https://www.suse.com/security/cve/CVE-2020-26968.html

https://bugzilla.suse.com/1178894

Severity
Announcement ID: SUSE-SU-2020:3528-1
Rating: important

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved