File _patchinfo of Package patchinfo.25875

<patchinfo incident="25875">
  <issue tracker="bnc" id="1201758">VUL-0: MozillaFirefox / MozillaThunderbird: update to 103 and 102.1esr/91.12esr</issue>
  <issue tracker="bnc" id="1202645">VUL-0: MozillaFirefox / MozillaThunderbird: update to 104 and 102.2esr/91.13esr</issue>
  <issue tracker="bnc" id="1200793">VUL-0: MozillaFirefox / MozillaThunderbird: update to 102 and 91.11esr</issue>
  <issue tracker="bnc" id="1203007">VUL-0: MozillaThunderbird: update to 102.2.1</issue>
  <issue tracker="cve" id="2022-34470"/>
  <issue tracker="cve" id="2022-38476"/>
  <issue tracker="cve" id="2022-2505"/>
  <issue tracker="cve" id="2022-36318"/>
  <issue tracker="cve" id="2022-34481"/>
  <issue tracker="cve" id="2022-3033"/>
  <issue tracker="cve" id="2022-38478"/>
  <issue tracker="cve" id="2022-34478"/>
  <issue tracker="cve" id="2022-36314"/>
  <issue tracker="cve" id="2022-38477"/>
  <issue tracker="cve" id="2022-34484"/>
  <issue tracker="cve" id="2022-2200"/>
  <issue tracker="cve" id="2022-34468"/>
  <issue tracker="cve" id="2022-34472"/>
  <issue tracker="cve" id="2022-38473"/>
  <issue tracker="cve" id="2022-38472"/>
  <issue tracker="cve" id="2022-3032"/>
  <issue tracker="cve" id="2022-36059"/>
  <issue tracker="cve" id="2022-2226"/>
  <issue tracker="cve" id="2022-3034"/>
  <issue tracker="cve" id="2022-31744"/>
  <issue tracker="cve" id="2022-36319"/>
  <issue tracker="cve" id="2022-34479"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Updated to Mozilla Thunderbird 102.2.2:
- CVE-2022-3033: Fixed leaking of sensitive information when composing a response to an HTML email with a META refresh tag (bsc#1203007).
- CVE-2022-3032: Fixed missing blocking of remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute (bsc#1203007).
- CVE-2022-3034: Fixed issue where iframe element in an HTML email could trigger a network request (bsc#1203007).
- CVE-2022-36059: Fixed DoS in Matrix SDK bundled with Thunderbird service attack (bsc#1203007).
 
- CVE-2022-38472: Fixed Address bar spoofing via XSLT error handling (bsc#1202645).
- CVE-2022-38473: Fixed cross-origin XSLT Documents inheriting the parent's permissions (bsc#1202645).
- CVE-2022-38476: Fixed data race and potential use-after-free in PK11_ChangePW (bsc#1202645).
- CVE-2022-38477: Fixed memory safety bugs (bsc#1202645).
- CVE-2022-38478: Fixed memory safety bugs (bsc#1202645).

- CVE-2022-36319: Fixed mouse position spoofing with CSS transforms (bsc#1201758).
- CVE-2022-36318: Fixed directory indexes for bundled resources reflected URL parameters (bsc#1201758).
- CVE-2022-36314: Fixed unexpected network loads when opening local .lnk files (bsc#1201758).
- CVE-2022-2505: Fixed memory safety bugs (bsc#1201758).

- CVE-2022-34479: Fixed vulnerability which could overlay the address bar with web content (bsc#1200793).
- CVE-2022-34470: Fixed use-after-free in nsSHistory (bsc#1200793).
- CVE-2022-34468: Fixed CSP sandbox header without `allow-scripts` bypass via retargeted javascript (bsc#1200793).
- CVE-2022-2226: Fixed emails with a mismatching OpenPGP signature date incorrectly accepted as valid (bsc#1200793).
- CVE-2022-34481: Fixed integer overflow in ReplaceElementsAt (bsc#1200793).
- CVE-2022-31744: Fixed CSP bypass enabling stylesheet injection (bsc#1200793).
- CVE-2022-34472: Fixed unavailable PAC file resulting in OCSP requests being blocked (bsc#1200793).
- CVE-2022-34478: Fixed Microsoft protocols attacks if a user accepts a prompt (bsc#1200793).
- CVE-2022-2200: Fixed vulnerability where undesired attributes could be set as part of prototype pollution (bsc#1200793).
- CVE-2022-34484: Fixed memory safety bugs (bsc#1200793).
</description>
</patchinfo>