Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3800-1 Final 1 1 2022-10-27T12:59:47Z current 2022-10-27T12:59:47Z 2022-10-27T12:59:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 102.4.0 (bsc#1204421) * changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 * fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze * fixed: Forwarding messages with special characters in Subject failed on Windows * fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters * fixed: Address Book display pane continued to show contacts after deletion * fixed: Printing address book did not include all contact details * fixed: CardDAV contacts without a Name property did not save to Google Contacts * fixed: 'Publish Calendar' did not work * fixed: Calendar database storage improvements * fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar * fixed: Various visual and UX improvements - Mozilla Thunderbird 102.3.3 * new: Option added to show containing address book for a contact when using `All Address Books` in vertical mode (bmo#1778871) * changed: Thunderbird will try to use POP NTLM authentication even if not advertised by server (bmo#1793349) * changed: Task List and Today Pane sidebars will no longer load when not visible (bmo#1788549) * fixed: Sending a message while a recipient pill was being modified did not save changes (bmo#1779785) * fixed: Nickname column was not available in horizontal view of Address Book (bmo#1778000) * fixed: Multiline organization values were displayed across two columns in horizontal view of Address Book (bmo#1777780) * fixed: Contact vCard fields with multiple values such as Categories were truncated when saved (bmo#1792399) * fixed: ICS calendar files with a `FREEBUSY` property could not be imported (bmo#1783441) * fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999) - Mozilla Thunderbird 102.3.2 * changed: Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server (bmo#1789975) * fixed: Checking messages on POP3 accounts caused POP folder to lock if mail server was slow or non-responsive (bmo#1792451) * fixed: Newsgroups named with consecutive dots would not appear when refreshing list of newsgroups (bmo#1787789) * fixed: Sending news articles containing lines starting with dot were sometimes clipped (bmo#1787955) * fixed: CardDAV server sync silently failed if sync token expired (bmo#1791183) * fixed: Contacts from LDAP on macOS address books were not displayed (bmo#1791347) * fixed: Chat account input now accepts URIs for supported chat protocols (bmo#1776706) * fixed: Chat ScreenName field was not migrated to new address book (bmo#1789990) * fixed: Creating a New Event from the Today Pane used the currently selected day from the main calendar instead of from the Today Pane (bmo#1791203) * fixed: `New Event` button in Today Pane was incorrectly disabled sometimes (bmo#1792058) * fixed: Event reminder windows did not close after being dismissed or snoozed (bmo#1791228) * fixed: Improved performance of recurring event date calculation (bmo#1787677) * fixed: Quarterly calendar events on the last day of the month repeated one month early (bmo#1789362) * fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999) * fixed: Whitespace in calendar events was incorrectly handled when upgrading from Thunderbird 91 to 102 (bmo#1790339) * fixed: Various visual and UX improvements (bmo#1755623,bmo#17 83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178 9728,bmo#1790499) - Mozilla Thunderbird 102.3.1 * changed: Compose window encryption options now only appear for encryption technologies that have already been configured (bmo#1788988) * changed: Number of contacts in currently selected address book now displayed at bottom of Address Book list column (bmo#1745571) * fixed: Password prompt did not include server hostname for POP servers (bmo#1786920) * fixed: `Edit Contact` was missing from Contacts sidebar context menus (bmo#1771795) * fixed: Address Book contact lists cut off display of some characters, the result being unreadable (bmo#1780909) * fixed: Menu items for dark-themed alarm dialog were invisible on Windows 7 (bmo#1791738) * fixed: Various security fixes MFSA 2022-43 (bsc#1204411) * CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack * CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack * CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue - Mozilla Thunderbird 102.3 * changed: Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605) * changed: Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954) * fixed: Thunderbird startup performance improvements (bmo#1785967) * fixed: Saving email source and images failed (bmo#1777323,bmo#1778804) * fixed: Error message was shown repeatedly when temporary disk space was full (bmo#1788580) * fixed: Attaching OpenPGP keys without a set size to non- encrypted messages briefly displayed a size of zero bytes (bmo#1788952) * fixed: Global Search entry box initially contained 'undefined' (bmo#1780963) * fixed: Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418) * fixed: Connections to POP3 servers without UIDL support failed (bmo#1789314) * fixed: Pop accounts with 'Fetch headers only' set downloaded complete messages if server did not advertise TOP capability (bmo#1789356) * fixed: 'File -> New -> Address Book Contact' from Compose window did not work (bmo#1782418) * fixed: Attach 'My vCard' option in compose window was not available (bmo#1787614) * fixed: Improved performance of matching a contact to an email address (bmo#1782725) * fixed: Address book only recognized a contact's first two email addresses (bmo#1777156) * fixed: Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793) * fixed: Downloading NNTP messages for offline use failed (bmo#1785773) * fixed: NNTP client became stuck when connecting to Public- Inbox servers (bmo#1786203) * fixed: Various visual and UX improvements (bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324) * fixed: Various security fixes * unresolved: No dedicated 'Department' field in address book (bmo#1777780) MFSA 2022-42 (bsc#1203477) * CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264 * CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages * CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads * CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix * CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass * CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64 * CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning * CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3800,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3800,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3800,SUSE-SLE-Product-WE-15-SP3-2022-3800,SUSE-SLE-Product-WE-15-SP4-2022-3800,openSUSE-SLE-15.3-2022-3800,openSUSE-SLE-15.4-2022-3800 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ Link for SUSE-SU-2022:3800-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012724.html E-Mail link for SUSE-SU-2022:3800-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203477 SUSE Bug 1203477 https://bugzilla.suse.com/1204411 SUSE Bug 1204411 https://bugzilla.suse.com/1204421 SUSE Bug 1204421 https://www.suse.com/security/cve/CVE-2022-3155/ SUSE CVE CVE-2022-3155 page https://www.suse.com/security/cve/CVE-2022-3266/ SUSE CVE CVE-2022-3266 page https://www.suse.com/security/cve/CVE-2022-39236/ SUSE CVE CVE-2022-39236 page https://www.suse.com/security/cve/CVE-2022-39249/ SUSE CVE CVE-2022-39249 page https://www.suse.com/security/cve/CVE-2022-39250/ SUSE CVE CVE-2022-39250 page https://www.suse.com/security/cve/CVE-2022-39251/ SUSE CVE CVE-2022-39251 page https://www.suse.com/security/cve/CVE-2022-40956/ SUSE CVE CVE-2022-40956 page https://www.suse.com/security/cve/CVE-2022-40957/ SUSE CVE CVE-2022-40957 page https://www.suse.com/security/cve/CVE-2022-40958/ SUSE CVE CVE-2022-40958 page https://www.suse.com/security/cve/CVE-2022-40959/ SUSE CVE CVE-2022-40959 page https://www.suse.com/security/cve/CVE-2022-40960/ SUSE CVE CVE-2022-40960 page https://www.suse.com/security/cve/CVE-2022-40962/ SUSE CVE CVE-2022-40962 page SUSE Linux Enterprise Module for Package Hub 15 SP3 SUSE Linux Enterprise Module for Package Hub 15 SP4 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 MozillaThunderbird-102.4.0-150200.8.85.1 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.4 MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.4 MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 as a component of openSUSE Leap 15.4 When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3. CVE-2022-3155 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-3155.html CVE-2022-3155 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-3266 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-3266.html CVE-2022-3266 Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue. CVE-2022-39236 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-39236.html CVE-2022-39236 https://bugzilla.suse.com/1204411 SUSE Bug 1204411 Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround. CVE-2022-39249 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-39249.html CVE-2022-39249 https://bugzilla.suse.com/1204411 SUSE Bug 1204411 Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users' identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround. CVE-2022-39250 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-39250.html CVE-2022-39250 https://bugzilla.suse.com/1204411 SUSE Bug 1204411 Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround. CVE-2022-39251 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-39251.html CVE-2022-39251 https://bugzilla.suse.com/1204411 SUSE Bug 1204411 When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40956 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40956.html CVE-2022-40956 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40957 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40957.html CVE-2022-40957 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40958 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40958.html CVE-2022-40958 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40959 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40959.html CVE-2022-40959 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40960 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40960.html CVE-2022-40960 https://bugzilla.suse.com/1203477 SUSE Bug 1203477 Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. CVE-2022-40962 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.4.0-150200.8.85.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.4.0-150200.8.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223800-1/ https://www.suse.com/security/cve/CVE-2022-40962.html CVE-2022-40962 https://bugzilla.suse.com/1203477 SUSE Bug 1203477