{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP3","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP4","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP3","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP4","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-common":"102.5.0-150200.8.90.1","MozillaThunderbird-translations-other":"102.5.0-150200.8.90.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.4","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"102.5.0-150200.8.90.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\n- Fixed various security issues (MFSA 2022-49, bsc#1205270):\n * CVE-2022-45403 (bmo#1762078)\n Service Workers might have learned size of cross-origin media\n files\n * CVE-2022-45404 (bmo#1790815)\n Fullscreen notification bypass\n * CVE-2022-45405 (bmo#1791314)\n Use-after-free in InputStream implementation\n * CVE-2022-45406 (bmo#1791975)\n Use-after-free of a JavaScript Realm\n * CVE-2022-45408 (bmo#1793829)\n Fullscreen notification bypass via windowName\n * CVE-2022-45409 (bmo#1796901)\n Use-after-free in Garbage Collection\n * CVE-2022-45410 (bmo#1658869)\n ServiceWorker-intercepted requests bypassed SameSite cookie\n policy\n * CVE-2022-45411 (bmo#1790311)\n Cross-Site Tracing was possible via non-standard override\n headers\n * CVE-2022-45412 (bmo#1791029)\n Symlinks may resolve to partially uninitialized buffers\n * CVE-2022-45416 (bmo#1793676)\n Keystroke Side-Channel Leakage\n * CVE-2022-45418 (bmo#1795815)\n Custom mouse cursor could have been drawn over browser UI\n * CVE-2022-45420 (bmo#1792643)\n Iframe contents could be rendered outside the iframe\n * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)\n Memory safety bugs fixed in Thunderbird 102.5\n\n- Fixed various security issues: (MFSA 2022-46, bsc#1204421):\n * CVE-2022-42927 (bmo#1789128)\n Same-origin policy violation could have leaked cross-origin\n URLs\n * CVE-2022-42928 (bmo#1791520)\n Memory Corruption in JS Engine\n * CVE-2022-42929 (bmo#1789439)\n Denial of Service via window.print\n * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)\n Memory safety bugs fixed in Thunderbird 102.4\n\n- Mozilla Thunderbird 102.5\n * changed: `Ctrl+N` shortcut to create new contacts from\n address book restored (bmo#1751288)\n * fixed: Account Settings UI did not update to reflect default\n identity changes (bmo#1782646)\n * fixed: New POP mail notifications were incorrectly shown for\n messages marked by filters as read or junk (bmo#1787531)\n * fixed: Connecting to an IMAP server configured to use\n `PREAUTH` caused Thunderbird to hang (bmo#1798161)\n * fixed: Error responses received in greeting header from NNTP\n servers did not display error message (bmo#1792281)\n * fixed: News messages sent using 'Send Later' failed to send\n after going back online (bmo#1794997)\n * fixed: 'Download/Sync Now...' did not completely sync all\n newsgroups before going offline (bmo#1795547)\n * fixed: Username was missing from error dialog on failed login\n to news server (bmo#1796964)\n * fixed: Thunderbird can now fetch RSS channel feeds with\n incomplete channel URL (bmo#1794775)\n * fixed: Add-on 'Contribute' button in Add-ons Manager did not\n work (bmo#1795751)\n * fixed: Help text for `/part` Matrix command was incorrect\n (bmo#1795578)\n * fixed: Invite Attendees dialog did not fetch free/busy info\n for attendees with encoded characters in their name\n (bmo#1797927)\n\n- Mozilla Thunderbird 102.4.2\n * changed: 'Address Book' button in Account Central will now\n create a CardDAV address book instead of a local address book\n (bmo#1793903)\n * fixed: Messages fetched from POP server in `Fetch headers\n only` mode disappeared when moved to different folder by\n filter action (bmo#1793374)\n * fixed: Thunderbird re-downloaded locally deleted messages\n from a POP server when 'Leave messages on server' and 'Until\n I delete them' were enabled (bmo#1796903)\n * fixed: Multiple password prompts for the same POP account\n could be displayed (bmo#1786920)\n * fixed: IMAP authentication failed on next startup if ImapMail\n folder was deleted by user (bmo#1793599)\n * fixed: Retrieving passwords for authenticated NNTP accounts\n could fail due to obsolete preferences in a users profile on\n every startup (bmo#1770594)\n * fixed: `Get Next n Messages` did not consistently fetch all\n messages requested from NNTP server (bmo#1794185)\n * fixed: `Get Messages` button unable to fetch messages from\n NNTP server if root folder not selected (bmo#1792362)\n * fixed: Thunderbird text branding did not always match locale\n of localized build (bmo#1786199)\n * fixed: Thunderbird installer and Thunderbird updater created\n Windows shortcuts with different names (bmo#1787264)\n * fixed: LDAP search filters unable to work with non-ASCII\n characters (bmo#1794306)\n * fixed: 'Today' highlighting in Calendar Month view did not\n update after date change at midnight (bmo#1795176)\n\n- Mozilla Thunderbird 102.4.1\n * new: Thunderbird will now catch and report errors parsing\n vCards that contain incorrectly formatted dates (bmo#1793415)\n * fixed: Dynamic language switching did not update interface\n when switched to right-to-left languages (bmo#1794289)\n * fixed: Custom header data was discarded after messages were\n saved as draft and reopened (bmo#195716)\n * fixed: `-remote` command line argument did not work,\n affecting integration with various applications such as\n LibreOffice (bmo#1793323)\n * fixed: Messages received via some SMS-to-email services could\n not display images (bmo#1774805)\n * fixed: VCards with nickname field set could not be edited\n (bmo#1793877)\n * fixed: Some recurring events were missing from Agenda on\n first load (bmo#1771168)\n * fixed: Download requests for remote ICS calendars incorrectly\n set 'Accept' header to text/xml (bmo#1793757)\n * fixed: Monthly events created on the 31st of a month with <30\n days placed first occurrence 1-2 days after the beginning of\n the following month (bmo#1266797)\n * fixed: Various visual and UX improvements\n (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)\n\n * changed: Thunderbird will automatically detect and repair\n OpenPGP key storage corruption caused by using the profile\n import tool in Thunderbird 102 (bmo#1790610)\n * fixed: POP message download into a large folder (~13000\n messages) caused Thunderbird to temporarily freeze\n (bmo#1792675)\n * fixed: Forwarding messages with special characters in Subject\n failed on Windows (bmo#1782173)\n * fixed: Links for FileLink attachments were not added when\n attachment filename contained Unicode characters\n (bmo#1789589)\n * fixed: Address Book display pane continued to show contacts\n after deletion (bmo#1777808)\n * fixed: Printing address book did not include all contact\n details (bmo#1782076)\n * fixed: CardDAV contacts without a Name property did not save\n to Google Contacts (bmo#1792101)\n * fixed: 'Publish Calendar' did not work (bmo#1794471)\n * fixed: Calendar database storage improvements (bmo#1792124)\n * fixed: Incorrectly handled error responses from CalDAV\n servers sometimes caused events to disappear from calendar\n (bmo#1792923)\n * fixed: Various visual and UX improvements (bmo#1776093,bmo#17\n 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179\n 3543)\n","id":"SUSE-SU-2022:4085-1","modified":"2022-11-18T15:39:11Z","published":"2022-11-18T15:39:11Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20224085-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1204421"},{"type":"REPORT","url":"https://bugzilla.suse.com/1205270"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-42927"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-42928"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-42929"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-42932"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45403"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45404"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45405"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45406"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45408"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45409"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45410"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45411"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45412"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45416"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45418"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45420"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45421"}],"related":["CVE-2022-42927","CVE-2022-42928","CVE-2022-42929","CVE-2022-42932","CVE-2022-45403","CVE-2022-45404","CVE-2022-45405","CVE-2022-45406","CVE-2022-45408","CVE-2022-45409","CVE-2022-45410","CVE-2022-45411","CVE-2022-45412","CVE-2022-45416","CVE-2022-45418","CVE-2022-45420","CVE-2022-45421"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2022-42927","CVE-2022-42928","CVE-2022-42929","CVE-2022-42932","CVE-2022-45403","CVE-2022-45404","CVE-2022-45405","CVE-2022-45406","CVE-2022-45408","CVE-2022-45409","CVE-2022-45410","CVE-2022-45411","CVE-2022-45412","CVE-2022-45416","CVE-2022-45418","CVE-2022-45420","CVE-2022-45421"]}