SUSE SLED15: MozillaThunderbird / MozillaThunderbird-translations-common / etc (SUSE-SU-2022:3800-1)

high Nessus Plugin ID 166692

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3800-1 advisory.

- Mozilla Thunderbird 102.4.0 (bsc#1204421)
* changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102
* fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze
* fixed: Forwarding messages with special characters in Subject failed on Windows
* fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters
* fixed: Address Book display pane continued to show contacts after deletion
* fixed: Printing address book did not include all contact details
* fixed: CardDAV contacts without a Name property did not save to Google Contacts
* fixed: 'Publish Calendar' did not work
* fixed: Calendar database storage improvements
* fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar
* fixed: Various visual and UX improvements
- Mozilla Thunderbird 102.3.3
* new: Option added to show containing address book for a contact when using `All Address Books` in vertical mode (bmo#1778871)
* changed: Thunderbird will try to use POP NTLM authentication even if not advertised by server (bmo#1793349)
* changed: Task List and Today Pane sidebars will no longer load when not visible (bmo#1788549)
* fixed: Sending a message while a recipient pill was being modified did not save changes (bmo#1779785)
* fixed: Nickname column was not available in horizontal view of Address Book (bmo#1778000)
* fixed: Multiline organization values were displayed across two columns in horizontal view of Address Book (bmo#1777780)
* fixed: Contact vCard fields with multiple values such as Categories were truncated when saved (bmo#1792399)
* fixed: ICS calendar files with a `FREEBUSY` property could not be imported (bmo#1783441)
* fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999)
- Mozilla Thunderbird 102.3.2
* changed: Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server (bmo#1789975)
* fixed: Checking messages on POP3 accounts caused POP folder to lock if mail server was slow or non-responsive (bmo#1792451)
* fixed: Newsgroups named with consecutive dots would not appear when refreshing list of newsgroups (bmo#1787789)
* fixed: Sending news articles containing lines starting with dot were sometimes clipped (bmo#1787955)
* fixed: CardDAV server sync silently failed if sync token expired (bmo#1791183)
* fixed: Contacts from LDAP on macOS address books were not displayed (bmo#1791347)
* fixed: Chat account input now accepts URIs for supported chat protocols (bmo#1776706)
* fixed: Chat ScreenName field was not migrated to new address book (bmo#1789990)
* fixed: Creating a New Event from the Today Pane used the currently selected day from the main calendar instead of from the Today Pane (bmo#1791203)
* fixed: `New Event` button in Today Pane was incorrectly disabled sometimes (bmo#1792058)
* fixed: Event reminder windows did not close after being dismissed or snoozed (bmo#1791228)
* fixed: Improved performance of recurring event date calculation (bmo#1787677)
* fixed: Quarterly calendar events on the last day of the month repeated one month early (bmo#1789362)
* fixed: Thunderbird would hang if calendar event exceeded the year 2035 (bmo#1789999)
* fixed: Whitespace in calendar events was incorrectly handled when upgrading from Thunderbird 91 to 102 (bmo#1790339)
* fixed: Various visual and UX improvements (bmo#1755623,bmo#17 83903,bmo#1785851,bmo#1786434,bmo#1787286,bmo#1788151,bmo#178 9728,bmo#1790499)
- Mozilla Thunderbird 102.3.1
* changed: Compose window encryption options now only appear for encryption technologies that have already been configured (bmo#1788988)
* changed: Number of contacts in currently selected address book now displayed at bottom of Address Book list column (bmo#1745571)
* fixed: Password prompt did not include server hostname for POP servers (bmo#1786920)
* fixed: `Edit Contact` was missing from Contacts sidebar context menus (bmo#1771795)
* fixed: Address Book contact lists cut off display of some characters, the result being unreadable (bmo#1780909)
* fixed: Menu items for dark-themed alarm dialog were invisible on Windows 7 (bmo#1791738)
* fixed: Various security fixes MFSA 2022-43 (bsc#1204411)
* CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack
* CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack
* CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
- Mozilla Thunderbird 102.3
* changed: Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss.
(bmo#1790605)
* changed: Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954)
* fixed: Thunderbird startup performance improvements (bmo#1785967)
* fixed: Saving email source and images failed (bmo#1777323,bmo#1778804)
* fixed: Error message was shown repeatedly when temporary disk space was full (bmo#1788580)
* fixed: Attaching OpenPGP keys without a set size to non- encrypted messages briefly displayed a size of zero bytes (bmo#1788952)
* fixed: Global Search entry box initially contained 'undefined' (bmo#1780963)
* fixed: Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418)
* fixed: Connections to POP3 servers without UIDL support failed (bmo#1789314)
* fixed: Pop accounts with 'Fetch headers only' set downloaded complete messages if server did not advertise TOP capability (bmo#1789356)
* fixed: 'File -> New -> Address Book Contact' from Compose window did not work (bmo#1782418)
* fixed: Attach 'My vCard' option in compose window was not available (bmo#1787614)
* fixed: Improved performance of matching a contact to an email address (bmo#1782725)
* fixed: Address book only recognized a contact's first two email addresses (bmo#1777156)
* fixed: Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793)
* fixed: Downloading NNTP messages for offline use failed (bmo#1785773)
* fixed: NNTP client became stuck when connecting to Public- Inbox servers (bmo#1786203)
* fixed: Various visual and UX improvements (bmo#1782235,bmo#1787448,bmo#1788725,bmo#1790324)
* fixed: Various security fixes
* unresolved: No dedicated 'Department' field in address book (bmo#1777780) MFSA 2022-42 (bsc#1203477)
* CVE-2022-3266 (bmo#1767360) Out of bounds read when decoding H264
* CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
* CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning
* CVE-2022-40962 (bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected MozillaThunderbird, MozillaThunderbird-translations-common and / or MozillaThunderbird-translations- other packages.

See Also

https://bugzilla.suse.com/1203477

https://bugzilla.suse.com/1204411

https://bugzilla.suse.com/1204421

https://www.suse.com/security/cve/CVE-2022-3155

https://www.suse.com/security/cve/CVE-2022-3266

https://www.suse.com/security/cve/CVE-2022-39236

https://www.suse.com/security/cve/CVE-2022-39249

https://www.suse.com/security/cve/CVE-2022-39250

https://www.suse.com/security/cve/CVE-2022-39251

https://www.suse.com/security/cve/CVE-2022-40956

https://www.suse.com/security/cve/CVE-2022-40957

https://www.suse.com/security/cve/CVE-2022-40958

https://www.suse.com/security/cve/CVE-2022-40959

https://www.suse.com/security/cve/CVE-2022-40960

https://www.suse.com/security/cve/CVE-2022-40962

http://www.nessus.org/u?a02e7002

Plugin Details

Severity: High

ID: 166692

File Name: suse_SU-2022-3800-1.nasl

Version: 1.11

Type: Local

Agent: unix

Published: 10/28/2022

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-40962

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:mozillathunderbird, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-common, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-other

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/27/2022

Vulnerability Publication Date: 9/20/2022

Reference Information

CVE: CVE-2022-3155, CVE-2022-3266, CVE-2022-39236, CVE-2022-39249, CVE-2022-39250, CVE-2022-39251, CVE-2022-40956, CVE-2022-40957, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, CVE-2022-40962

SuSE: SUSE-SU-2022:3800-1