SUSE-SU-2021:4150-1

Source
https://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2021:4150-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2021:4150-1
Related
Published
2021-12-22T09:58:04Z
Modified
2021-12-22T09:58:04Z
Summary
Security update for MozillaThunderbird
Details

This update for MozillaThunderbird fixes the following issues:

  • Update to version 91.4 MFSA 2021-54 (bsc#1193485)
  • CVE-2021-43536: URL leakage when navigating while executing asynchronous function
  • CVE-2021-43537: Heap buffer overflow when using structured clone
  • CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
  • CVE-2021-43539: GC rooting failure when calling wasm instance methods
  • CVE-2021-43541: External protocol handler parameters were unescaped
  • CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
  • CVE-2021-43543: Bypass of CSP sandbox directive when embedding
  • CVE-2021-43545: Denial of Service when using the Location API in a loop
  • CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
  • CVE-2021-43528: JavaScript unexpectedly enabled for the composition area

  • Update to version 91.3.2

  • CVE-2021-40529: Fixed ElGamal implementation could allow plaintext recovery (bsc#1190244)

  • Update to version 91.3 MFSA 2021-50 (bsc#1192250)

  • CVE-2021-38503: Fixed iframe sandbox rules did not apply to XSLT stylesheets
  • CVE-2021-38504: Fixed use-after-free in file picker dialog
  • CVE-2021-38505: Fixed Windows 10 Cloud Clipboard may have recorded sensitive user data
  • CVE-2021-38506: Fixed Thunderbird could be coaxed into going into fullscreen mode without notification or warning
  • CVE-2021-38507: Fixed opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
  • CVE-2021-38508: Fixed permission Prompt could be overlaid, resulting in user confusion and potential spoofing
  • CVE-2021-38509: Fixed Javascript alert box could have been spoofed onto an arbitrary domain
  • CVE-2021-38510: Fixed Download Protections were bypassed by .inetloc files on Mac OS
  • Fixed plain text reformatting regression (bsc#1182863)

  • Update to version 91.2 MFSA 2021-47 (bsc#1191332)

  • CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT
  • CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion
  • CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux
  • CVE-2021-32810: Data race in crossbeam-deque
  • CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and Thunderbird 91.1
  • CVE-2021-38496: Use-after-free in MessageTask
  • CVE-2021-38497: Validation message could have been overlaid on another origin
  • CVE-2021-38498: Use-after-free of nsLanguageAtomService object
  • CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
  • CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
  • CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections

  • Update to version 91.1.0 MFSA 2021-41 (bsc#1190269)

  • CVE-2021-38492: Navigating to mk: URL scheme could load Internet Explorer
  • CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1

  • Update to version 91.0.1 MFSA 2021-37 (bsc#1189547)

  • CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
References

Affected packages

SUSE:Linux Enterprise Workstation Extension 15 SP2 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
91.4.0-8.45.2

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "91.4.0-8.45.2",
            "MozillaThunderbird-translations-other": "91.4.0-8.45.2",
            "MozillaThunderbird-translations-common": "91.4.0-8.45.2"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP3 / MozillaThunderbird

Package

Name
MozillaThunderbird
Purl
purl:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
91.4.0-8.45.2

Ecosystem specific

{
    "binaries": [
        {
            "MozillaThunderbird": "91.4.0-8.45.2",
            "MozillaThunderbird-translations-other": "91.4.0-8.45.2",
            "MozillaThunderbird-translations-common": "91.4.0-8.45.2"
        }
    ]
}