File _patchinfo of Package patchinfo.26491
<patchinfo incident="26491">
<issue tracker="bnc" id="1203477">VUL-0: MozillaFirefox / MozillaThunderbird: update to 105 and 102.3esr</issue>
<issue tracker="bnc" id="1204411">VUL-0: MozillaThunderbird: update to 102.3.1 (MFSA2022-43)</issue>
<issue tracker="bnc" id="1204421">VUL-0: MozillaFirefox / MozillaThunderbird: update to 106 and 102.4esr</issue>
<issue tracker="cve" id="2022-3155"/>
<issue tracker="cve" id="2022-40957"/>
<issue tracker="cve" id="2022-3266"/>
<issue tracker="cve" id="2022-40962"/>
<issue tracker="cve" id="2022-39250"/>
<issue tracker="cve" id="2022-40959"/>
<issue tracker="cve" id="2022-39251"/>
<issue tracker="cve" id="2022-40956"/>
<issue tracker="cve" id="2022-39249"/>
<issue tracker="cve" id="2022-40960"/>
<issue tracker="cve" id="2022-39236"/>
<issue tracker="cve" id="2022-40958"/>
<packager>MSirringhaus</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for MozillaThunderbird</summary>
<description>This update for MozillaThunderbird fixes the following issues:
- Mozilla Thunderbird 102.4.0 (bsc#1204421)
* changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102
* fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze
* fixed: Forwarding messages with special characters in Subject failed on Windows
* fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters
* fixed: Address Book display pane continued to show contacts after deletion
* fixed: Printing address book did not include all contact details
* fixed: CardDAV contacts without a Name property did not save to Google Contacts
* fixed: "Publish Calendar" did not work
* fixed: Calendar database storage improvements
* fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar
* fixed: Various visual and UX improvements
- Mozilla Thunderbird 102.3.3
* new: Option added to show containing address book for a
contact when using `All Address Books` in vertical mode
(bmo#1778871)
* changed: Thunderbird will try to use POP NTLM authentication
even if not advertised by server (bmo#1793349)
* changed: Task List and Today Pane sidebars will no longer
load when not visible (bmo#1788549)
* fixed: Sending a message while a recipient pill was being
modified did not save changes (bmo#1779785)
* fixed: Nickname column was not available in horizontal view
of Address Book (bmo#1778000)
* fixed: Multiline organization values were displayed across
two columns in horizontal view of Address Book (bmo#1777780)
* fixed: Contact vCard fields with multiple values such as
Categories were truncated when saved (bmo#1792399)
* fixed: ICS calendar files with a `FREEBUSY` property could
not be imported (bmo#1783441)
* fixed: Thunderbird would hang if calendar event exceeded the
year 2035 (bmo#1789999)
- Mozilla Thunderbird 102.3.2
* changed: Thunderbird will try to use POP CRAM-MD5
authentication even if not advertised by server (bmo#1789975)
* fixed: Checking messages on POP3 accounts caused POP folder
to lock if mail server was slow or non-responsive
(bmo#1792451)
* fixed: Newsgroups named with consecutive dots would not
appear when refreshing list of newsgroups (bmo#1787789)
* fixed: Sending news articles containing lines starting with
dot were sometimes clipped (bmo#1787955)
* fixed: CardDAV server sync silently failed if sync token
expired (bmo#1791183)
* fixed: Contacts from LDAP on macOS address books were not
displayed (bmo#1791347)
* fixed: Chat account input now accepts URIs for supported chat
protocols (bmo#1776706)
* fixed: Chat ScreenName field was not migrated to new address
book (bmo#1789990)
* fixed: Creating a New Event from the Today Pane used the
currently selected day from the main calendar instead of from
the Today Pane (bmo#1791203)
* fixed: `New Event` button in Today Pane was incorrectly
disabled sometimes (bmo#1792058)
* fixed: Event reminder windows did not close after being
dismissed or snoozed (bmo#1791228)
* fixed: Improved performance of recurring event date
calculation (bmo#1787677)
* fixed: Quarterly calendar events on the last day of the month
repeated one month early (bmo#1789362)
* fixed: Thunderbird would hang if calendar event exceeded the
year 2035 (bmo#1789999)
* fixed: Whitespace in calendar events was incorrectly handled
when upgrading from Thunderbird 91 to 102 (bmo#1790339)
* fixed: Various visual and UX improvements (bmo#1755623,bmo#17
83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178
9728,bmo#1790499)
- Mozilla Thunderbird 102.3.1
* changed: Compose window encryption options now only appear
for encryption technologies that have already been configured
(bmo#1788988)
* changed: Number of contacts in currently selected address
book now displayed at bottom of Address Book list column
(bmo#1745571)
* fixed: Password prompt did not include server hostname for
POP servers (bmo#1786920)
* fixed: `Edit Contact` was missing from Contacts sidebar
context menus (bmo#1771795)
* fixed: Address Book contact lists cut off display of some
characters, the result being unreadable (bmo#1780909)
* fixed: Menu items for dark-themed alarm dialog were invisible
on Windows 7 (bmo#1791738)
* fixed: Various security fixes
MFSA 2022-43 (bsc#1204411)
* CVE-2022-39249 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
* CVE-2022-39251 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
* CVE-2022-39236 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
- Mozilla Thunderbird 102.3
* changed: Thunderbird will no longer attempt to import account
passwords when importing from another Thunderbird profile in
order to prevent profile corruption and permanent data loss.
(bmo#1790605)
* changed: Devtools performance profile will use Thunderbird
presets instead of Web Developer presets (bmo#1785954)
* fixed: Thunderbird startup performance improvements
(bmo#1785967)
* fixed: Saving email source and images failed
(bmo#1777323,bmo#1778804)
* fixed: Error message was shown repeatedly when temporary disk
space was full (bmo#1788580)
* fixed: Attaching OpenPGP keys without a set size to non-
encrypted messages briefly displayed a size of zero bytes
(bmo#1788952)
* fixed: Global Search entry box initially contained
"undefined" (bmo#1780963)
* fixed: Delete from POP Server mail filter rule intermittently
failed to trigger (bmo#1789418)
* fixed: Connections to POP3 servers without UIDL support
failed (bmo#1789314)
* fixed: Pop accounts with "Fetch headers only" set downloaded
complete messages if server did not advertise TOP capability
(bmo#1789356)
* fixed: "File -> New -> Address Book Contact" from Compose
window did not work (bmo#1782418)
* fixed: Attach "My vCard" option in compose window was not
available (bmo#1787614)
* fixed: Improved performance of matching a contact to an email
address (bmo#1782725)
* fixed: Address book only recognized a contact's first two
email addresses (bmo#1777156)
* fixed: Address book search and autocomplete failed if a
contact vCard could not be parsed (bmo#1789793)
* fixed: Downloading NNTP messages for offline use failed
(bmo#1785773)
* fixed: NNTP client became stuck when connecting to Public-
Inbox servers (bmo#1786203)
* fixed: Various visual and UX improvements
(bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
* fixed: Various security fixes
* unresolved: No dedicated "Department" field in address book
(bmo#1777780)
MFSA 2022-42 (bsc#1203477)
* CVE-2022-3266 (bmo#1767360)
Out of bounds read when decoding H264
* CVE-2022-40959 (bmo#1782211)
Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633)
Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993)
Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix
* CVE-2022-40956 (bmo#1770094)
Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604)
Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061)
Attachment files saved to disk on macOS could be executed
without warning
* CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835,
bmo#1785109, bmo#1786502, bmo#1789440)
Memory safety bugs fixed in Thunderbird 102.3
</description>
</patchinfo>
