Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2022:1176-1
Rating:	important
References:	bsc#1197903
Cross-References:	CVE-2022-1097 CVE-2022-1196 CVE-2022-1197 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289
CVSS scores:	CVE-2022-1097 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-1097 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-1196 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-1196 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-1197 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-1197 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2022-24713 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2022-24713 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-28281 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-28281 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-28282 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-28282 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-28285 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2022-28285 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2022-28286 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2022-28286 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2022-28289 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-28289 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.2 SUSE Manager Server 4.3 SUSE Package Hub 15 15-SP3 SUSE Package Hub 15 15-SP4

An update that solves nine vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

• Updated to version 91.8 (bsc#1197903):
• CVE-2022-1097: Fixed a memory corruption issue with NSSToken objects.
• CVE-2022-28281: Fixed a memory corruption issue due to unexpected WebAuthN Extensions.
• CVE-2022-1197: Fixed an issue where OpenPGP revocation information was ignored.
• CVE-2022-1196: Fixed a memory corruption issue after VR process destruction.
• CVE-2022-28282: Fixed a memory corruption issue in document translation.
• CVE-2022-28285: Fixed a memory corruption issue in JIT code generation.
• CVE-2022-28286: Fixed an iframe layout issue that could have been exploited to stage spoofing attacks.
• CVE-2022-24713: Fixed a potential denial of service via complex regular expressions.
• CVE-2022-28289: Fixed multiple memory corruption issues.

Non-security fixes:

• Changed Google accounts using password authentication to use OAuth2.
• Fixed an issue where OpenPGP ECC keys created by Thunderbird could not be imported into GnuPG.
• Fixed an issue where exporting multiple public PGP keys from Thunderbird was not possible.
• Fixed an issue where replying to a newsgroup message erroneously displayed a "No-reply" popup warning.
• Fixed an issue with opening older address books.
• Fixed an issue where LDAP directories would be lost when switching to "Offline" mode.
• Fixed an issue when importing webcals.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Package Hub 15 15-SP3
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1176=1
• SUSE Package Hub 15 15-SP4
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1176=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-1176=1

Package List:

• SUSE Package Hub 15 15-SP3 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-other-91.8.0-150200.8.65.1
  • MozillaThunderbird-debugsource-91.8.0-150200.8.65.1
  • MozillaThunderbird-translations-common-91.8.0-150200.8.65.1
  • MozillaThunderbird-91.8.0-150200.8.65.1
  • MozillaThunderbird-debuginfo-91.8.0-150200.8.65.1
• SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x)
  • MozillaThunderbird-translations-other-91.8.0-150200.8.65.1
  • MozillaThunderbird-debugsource-91.8.0-150200.8.65.1
  • MozillaThunderbird-translations-common-91.8.0-150200.8.65.1
  • MozillaThunderbird-91.8.0-150200.8.65.1
  • MozillaThunderbird-debuginfo-91.8.0-150200.8.65.1
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • MozillaThunderbird-translations-other-91.8.0-150200.8.65.1
  • MozillaThunderbird-debugsource-91.8.0-150200.8.65.1
  • MozillaThunderbird-translations-common-91.8.0-150200.8.65.1
  • MozillaThunderbird-91.8.0-150200.8.65.1
  • MozillaThunderbird-debuginfo-91.8.0-150200.8.65.1

References:

• https://www.suse.com/security/cve/CVE-2022-1097.html
• https://www.suse.com/security/cve/CVE-2022-1196.html
• https://www.suse.com/security/cve/CVE-2022-1197.html
• https://www.suse.com/security/cve/CVE-2022-24713.html
• https://www.suse.com/security/cve/CVE-2022-28281.html
• https://www.suse.com/security/cve/CVE-2022-28282.html
• https://www.suse.com/security/cve/CVE-2022-28285.html
• https://www.suse.com/security/cve/CVE-2022-28286.html
• https://www.suse.com/security/cve/CVE-2022-28289.html
• https://bugzilla.suse.com/show_bug.cgi?id=1197903