File _patchinfo of Package patchinfo.26720
<patchinfo incident="26720">
<issue tracker="bnc" id="1204421">VUL-0: MozillaFirefox / MozillaThunderbird: update to 106 and 102.4esr</issue>
<issue tracker="bnc" id="1205270">VUL-0: MozillaFirefox / MozillaThunderbird: update to 107 and 102.5esr</issue>
<issue tracker="cve" id="2022-42928"/>
<issue tracker="cve" id="2022-45410"/>
<issue tracker="cve" id="2022-42929"/>
<issue tracker="cve" id="2022-45408"/>
<issue tracker="cve" id="2022-42927"/>
<issue tracker="cve" id="2022-45409"/>
<issue tracker="cve" id="2022-45418"/>
<issue tracker="cve" id="2022-42932"/>
<issue tracker="cve" id="2022-45412"/>
<issue tracker="cve" id="2022-45411"/>
<issue tracker="cve" id="2022-45416"/>
<issue tracker="cve" id="2022-45406"/>
<issue tracker="cve" id="2022-45420"/>
<issue tracker="cve" id="2022-45404"/>
<issue tracker="cve" id="2022-45421"/>
<issue tracker="cve" id="2022-45405"/>
<issue tracker="cve" id="2022-45403"/>
<packager>MSirringhaus</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for MozillaThunderbird</summary>
<description>This update for MozillaThunderbird fixes the following issues:
- Fixed various security issues (MFSA 2022-49, bsc#1205270):
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media
files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie
policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override
headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676)
Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815)
Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420 (bmo#1792643)
Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
Memory safety bugs fixed in Thunderbird 102.5
- Fixed various security issues: (MFSA 2022-46, bsc#1204421):
* CVE-2022-42927 (bmo#1789128)
Same-origin policy violation could have leaked cross-origin
URLs
* CVE-2022-42928 (bmo#1791520)
Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439)
Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
Memory safety bugs fixed in Thunderbird 102.4
- Mozilla Thunderbird 102.5
* changed: `Ctrl+N` shortcut to create new contacts from
address book restored (bmo#1751288)
* fixed: Account Settings UI did not update to reflect default
identity changes (bmo#1782646)
* fixed: New POP mail notifications were incorrectly shown for
messages marked by filters as read or junk (bmo#1787531)
* fixed: Connecting to an IMAP server configured to use
`PREAUTH` caused Thunderbird to hang (bmo#1798161)
* fixed: Error responses received in greeting header from NNTP
servers did not display error message (bmo#1792281)
* fixed: News messages sent using "Send Later" failed to send
after going back online (bmo#1794997)
* fixed: "Download/Sync Now..." did not completely sync all
newsgroups before going offline (bmo#1795547)
* fixed: Username was missing from error dialog on failed login
to news server (bmo#1796964)
* fixed: Thunderbird can now fetch RSS channel feeds with
incomplete channel URL (bmo#1794775)
* fixed: Add-on "Contribute" button in Add-ons Manager did not
work (bmo#1795751)
* fixed: Help text for `/part` Matrix command was incorrect
(bmo#1795578)
* fixed: Invite Attendees dialog did not fetch free/busy info
for attendees with encoded characters in their name
(bmo#1797927)
- Mozilla Thunderbird 102.4.2
* changed: "Address Book" button in Account Central will now
create a CardDAV address book instead of a local address book
(bmo#1793903)
* fixed: Messages fetched from POP server in `Fetch headers
only` mode disappeared when moved to different folder by
filter action (bmo#1793374)
* fixed: Thunderbird re-downloaded locally deleted messages
from a POP server when "Leave messages on server" and "Until
I delete them" were enabled (bmo#1796903)
* fixed: Multiple password prompts for the same POP account
could be displayed (bmo#1786920)
* fixed: IMAP authentication failed on next startup if ImapMail
folder was deleted by user (bmo#1793599)
* fixed: Retrieving passwords for authenticated NNTP accounts
could fail due to obsolete preferences in a users profile on
every startup (bmo#1770594)
* fixed: `Get Next n Messages` did not consistently fetch all
messages requested from NNTP server (bmo#1794185)
* fixed: `Get Messages` button unable to fetch messages from
NNTP server if root folder not selected (bmo#1792362)
* fixed: Thunderbird text branding did not always match locale
of localized build (bmo#1786199)
* fixed: Thunderbird installer and Thunderbird updater created
Windows shortcuts with different names (bmo#1787264)
* fixed: LDAP search filters unable to work with non-ASCII
characters (bmo#1794306)
* fixed: "Today" highlighting in Calendar Month view did not
update after date change at midnight (bmo#1795176)
- Mozilla Thunderbird 102.4.1
* new: Thunderbird will now catch and report errors parsing
vCards that contain incorrectly formatted dates (bmo#1793415)
* fixed: Dynamic language switching did not update interface
when switched to right-to-left languages (bmo#1794289)
* fixed: Custom header data was discarded after messages were
saved as draft and reopened (bmo#195716)
* fixed: `-remote` command line argument did not work,
affecting integration with various applications such as
LibreOffice (bmo#1793323)
* fixed: Messages received via some SMS-to-email services could
not display images (bmo#1774805)
* fixed: VCards with nickname field set could not be edited
(bmo#1793877)
* fixed: Some recurring events were missing from Agenda on
first load (bmo#1771168)
* fixed: Download requests for remote ICS calendars incorrectly
set "Accept" header to text/xml (bmo#1793757)
* fixed: Monthly events created on the 31st of a month with <30
days placed first occurrence 1-2 days after the beginning of
the following month (bmo#1266797)
* fixed: Various visual and UX improvements
(bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)
* changed: Thunderbird will automatically detect and repair
OpenPGP key storage corruption caused by using the profile
import tool in Thunderbird 102 (bmo#1790610)
* fixed: POP message download into a large folder (~13000
messages) caused Thunderbird to temporarily freeze
(bmo#1792675)
* fixed: Forwarding messages with special characters in Subject
failed on Windows (bmo#1782173)
* fixed: Links for FileLink attachments were not added when
attachment filename contained Unicode characters
(bmo#1789589)
* fixed: Address Book display pane continued to show contacts
after deletion (bmo#1777808)
* fixed: Printing address book did not include all contact
details (bmo#1782076)
* fixed: CardDAV contacts without a Name property did not save
to Google Contacts (bmo#1792101)
* fixed: "Publish Calendar" did not work (bmo#1794471)
* fixed: Calendar database storage improvements (bmo#1792124)
* fixed: Incorrectly handled error responses from CalDAV
servers sometimes caused events to disappear from calendar
(bmo#1792923)
* fixed: Various visual and UX improvements (bmo#1776093,bmo#17
80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179
3543)
</description>
</patchinfo>
