Overview

File _patchinfo of Package patchinfo.28787

<patchinfo incident="28787">
  <issue tracker="bnc" id="1210212">VUL-0: MozillaFirefox / MozillaThunderbird: update to 112 and 102.10esr</issue>
  <issue tracker="cve" id="2023-29550"/>
  <issue tracker="cve" id="2023-0547"/>
  <issue tracker="cve" id="2023-29532"/>
  <issue tracker="cve" id="2023-29531"/>
  <issue tracker="cve" id="2023-1999"/>
  <issue tracker="cve" id="2023-29535"/>
  <issue tracker="cve" id="2023-29539"/>
  <issue tracker="cve" id="2023-29541"/>
  <issue tracker="cve" id="2023-29545"/>
  <issue tracker="cve" id="2023-29536"/>
  <issue tracker="cve" id="2023-29479"/>
  <issue tracker="cve" id="2023-29542"/>
  <issue tracker="cve" id="2023-29533"/>
  <issue tracker="cve" id="2023-1945"/>
  <issue tracker="cve" id="2023-29548"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 102.10.1 (MFSA 2023-15) (bsc#1210212):

Security fixes:
  * CVE-2023-29531: Out-of-bound memory access in WebGL on macOS (bmo#1794292)
  * CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass (bmo#1806394)
  * CVE-2023-29533: Fullscreen notification obscured (bmo#1798219, bmo#1814597)
  * CVE-2023-1999: Double-free in libwebp (bmo#1819244)
  * CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction (bmo#1820543)
  * CVE-2023-29536: Invalid free from JavaScript code (bmo#1821959)
  * CVE-2023-0547: Revocation status of S/Mime recipient certificates was not checked (bmo#1811298)
  * CVE-2023-29479: Hang when processing certain OpenPGP messages (bmo#1824978)
  * CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download (bmo#1784348)
  * CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux (bmo#1810191)
  * CVE-2023-29542: Bypass of file download extension restrictions (bmo#1810793, bmo#1815062)
  * CVE-2023-29545: Windows Save As dialog resolved environment variables (bmo#1823077)
  * CVE-2023-1945: Memory Corruption in Safe Browsing Code (bmo#1777588)
  * CVE-2023-29548: Incorrect optimization result on ARM64 (bmo#1822754)
  * CVE-2023-29550: Memory safety bugs fixed in Thunderbird 102.10 (bmo#1720594, bmo#1751945, bmo#1812498,
    bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493,
    bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413,
    bmo#1824828)
    
Other fixes:
  * fixed: Messages with missing or corrupt "From:" header did not display message header buttons (bmo#1793918)
  * fixed: Composer repeatedly prompted for S/MIME smartcard signing/encryption password (bmo#1828366)
  * fixed: Address Book integration did not work with macOS 11.4 Bug Sur (bmo#1720257)
  * fixed: Mexico City DST fix in Thunderbird 102.10.0 (bug 1826146) was incomplete (bmo#1827503)
  * changed: New messages will automatically select S/MIME if configured and OpenPGP is not (bmo#1793278)
  * fixed: Calendar events with timezone America/Mexico_City incorrectly applied Daylight Savings Time (bmo#1826146)
  * fixed: Security fixes
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places