Overview

File _patchinfo of Package patchinfo.24860

<patchinfo incident="24860">
  <issue tracker="bnc" id="1200793">VUL-0: MozillaFirefox / MozillaThunderbird: update to 102 and 91.11esr</issue>
  <issue tracker="cve" id="2022-2200"/>
  <issue tracker="cve" id="2022-2226"/>
  <issue tracker="cve" id="2022-31744"/>
  <issue tracker="cve" id="2022-34468"/>
  <issue tracker="cve" id="2022-34470"/>
  <issue tracker="cve" id="2022-34472"/>
  <issue tracker="cve" id="2022-34478"/>
  <issue tracker="cve" id="2022-34479"/>
  <issue tracker="cve" id="2022-34481"/>
  <issue tracker="cve" id="2022-34484"/>
  <packager>cgrobertson</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

  - CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
  - CVE-2022-2226: An email with a mismatching OpenPGP signature date was accepted as valid (bmo#1775441)
  - CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
  - CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
  - CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
  - CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
  - CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
  - CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
  - CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
  - CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102 (bmo#1763634, bmo#1772651)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places