Overview

File _patchinfo of Package patchinfo.35953

<patchinfo incident="35953">
  <issue tracker="bnc" id="1230979">VUL-0: MozillaFirefox / MozillaThunderbird: update to 131 and 128.3esr</issue>
  <issue tracker="bnc" id="1231413">VUL-0: MozillaFirefox / MozillaThunderbird: update to 131.0.2 and 128.3.1esr</issue>
  <issue tracker="cve" id="2024-9398"/>
  <issue tracker="cve" id="2024-9399"/>
  <issue tracker="cve" id="2024-9393"/>
  <issue tracker="cve" id="2024-9402"/>
  <issue tracker="cve" id="2024-8900"/>
  <issue tracker="cve" id="2024-9392"/>
  <issue tracker="cve" id="2024-9394"/>
  <issue tracker="cve" id="2024-9400"/>
  <issue tracker="cve" id="2024-9397"/>
  <issue tracker="cve" id="2024-9396"/>
  <issue tracker="cve" id="2024-9401"/>
  <issue tracker="cve" id="2024-9680"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 128.3.1 (MFSA 2024-51, bsc#1231413):

- CVE-2024-9680: Use-after-free in Animation timeline   
    
Update to Mozilla Thunderbird 128.3 (MFSA 2024-49, bsc#1230979):

- CVE-2024-9392: Compromised content process can bypass site isolation
- CVE-2024-9393: Cross-origin access to PDF contents through multipart responses
- CVE-2024-9394: Cross-origin access to JSON contents through multipart responses
- CVE-2024-8900: Clipboard write permission bypass
- CVE-2024-9396: Potential memory corruption may occur when cloning certain objects
- CVE-2024-9397: Potential directory upload bypass via clickjacking
- CVE-2024-9398: External protocol handlers could be enumerated via popups
- CVE-2024-9399: Specially crafted WebTransport requests could lead to denial of service
- CVE-2024-9400: Potential memory corruption during JIT compilation
- CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
- CVE-2024-9402: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
    
Other fixes:

- fixed: Opening an EML file with a 'mailto:' link did not work
- fixed: Collapsed POP3 account folder was expanded after emptying trash on exit
- fixed: "Mark Folder Read" on a cross-folder search marked all underlying folders read
- fixed: Unable to open/view attached OpenPGP encrypted messages
- fixed: Unable to "Decrypt and Open" an attached OpenPGP key file
- fixed: Subject could disappear when replying to a message saved in an EML file
- fixed: OAuth2 authentication method was not available when adding SMTP server
- fixed: Unable to subscribe to .ics calendars in some situations
- fixed: Visual and UX improvements
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places