Security update for MozillaThunderbird and mozilla-nspr

Announcement ID: SUSE-SU-2020:3091-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2020-15673 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15673 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15676 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-15677 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-15677 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-15678 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15678 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15683 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15683 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-15969 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-15969 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
  • Basesystem Module 15-SP2
  • Basesystem Module 15-SP1
  • SUSE Linux Enterprise Desktop 15 SP1
  • SUSE Linux Enterprise Desktop 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Workstation Extension 15 SP1
  • SUSE Linux Enterprise Workstation Extension 15 SP2
  • SUSE Manager Proxy 4.0
  • SUSE Manager Proxy 4.1
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Server 4.0
  • SUSE Manager Server 4.1

An update that solves six vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird and mozilla-nspr fixes the following issues:

  • Mozilla Thunderbird 78.4
  • new: MailExtensions: browser.tabs.sendMessage API added
  • new: MailExtensions: messageDisplayScripts API added
  • changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
  • changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
  • changed: MailExtensions: compose.begin functions now support creating a message with attachments
  • fixed: Thunderbird could freeze when updating global search index
  • fixed: Multiple issues with handling of self-signed SSL certificates addressed
  • fixed: Recipient address fields in compose window could expand to fill all available space
  • fixed: Inserting emoji characters in message compose window caused unexpected behavior
  • fixed: Button to restore default folder icon color was not keyboard accessible
  • fixed: Various keyboard navigation fixes
  • fixed: Various color-related theme fixes
  • fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977)
  • CVE-2020-15969 Use-after-free in usersctp
  • CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
  • Mozilla Thunderbird 78.3.3
  • OpenPGP: Improved support for encrypting with subkeys
  • OpenPGP message status icons were not visible in message header pane
  • Creating a new calendar event did not require an event title
  • Mozilla Thunderbird 78.3.2 (bsc#1176899)
  • OpenPGP: Improved support for encrypting with subkeys
  • OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
  • Single-click deletion of recipient pills with middle mouse button restored
  • Searching an address book list did not display results
  • Dark mode, high contrast, and Windows theming fixes
  • Mozilla Thunderbird 78.3.1
  • fix crash in nsImapProtocol::CreateNewLineFromSocket
  • Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756)
  • CVE-2020-15677 Download origin spoofing via redirect
  • CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
  • CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
  • CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3

  • update mozilla-nspr to version 4.25.1

  • The macOS platform code for shared library loading was changed to support macOS 11.
  • Dependency needed for the MozillaThunderbird udpate

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3091=1
  • Basesystem Module 15-SP2
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3091=1
  • SUSE Linux Enterprise Workstation Extension 15 SP1
    zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3091=1
  • SUSE Linux Enterprise Workstation Extension 15 SP2
    zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3091=1

Package List:

  • Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • mozilla-nspr-debugsource-4.25.1-3.15.2
    • mozilla-nspr-debuginfo-4.25.1-3.15.2
    • mozilla-nspr-devel-4.25.1-3.15.2
    • mozilla-nspr-4.25.1-3.15.2
  • Basesystem Module 15-SP1 (x86_64)
    • mozilla-nspr-32bit-4.25.1-3.15.2
    • mozilla-nspr-32bit-debuginfo-4.25.1-3.15.2
  • Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    • mozilla-nspr-debugsource-4.25.1-3.15.2
    • mozilla-nspr-debuginfo-4.25.1-3.15.2
    • mozilla-nspr-devel-4.25.1-3.15.2
    • mozilla-nspr-4.25.1-3.15.2
  • Basesystem Module 15-SP2 (x86_64)
    • mozilla-nspr-32bit-4.25.1-3.15.2
    • mozilla-nspr-32bit-debuginfo-4.25.1-3.15.2
  • SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
    • MozillaThunderbird-debuginfo-78.4.0-3.99.1
    • MozillaThunderbird-debugsource-78.4.0-3.99.1
    • MozillaThunderbird-78.4.0-3.99.1
    • MozillaThunderbird-translations-other-78.4.0-3.99.1
    • MozillaThunderbird-translations-common-78.4.0-3.99.1
  • SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
    • MozillaThunderbird-debuginfo-78.4.0-3.99.1
    • MozillaThunderbird-debugsource-78.4.0-3.99.1
    • MozillaThunderbird-78.4.0-3.99.1
    • MozillaThunderbird-translations-other-78.4.0-3.99.1
    • MozillaThunderbird-translations-common-78.4.0-3.99.1

References: