Detections
Analytics

SUSE SLED15: MozillaThunderbird / MozillaThunderbird-translations-common / etc (SUSE-SU-2022:4085-1)

critical Nessus Plugin ID 167930

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4085-1 advisory.

 - Fixed various security issues (MFSA 2022-49, bsc#1205270):
 * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
 * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
 * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
 * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
 * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
 * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
 * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
 * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
 * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
 * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
 * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
 * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
 * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5

 - Fixed various security issues: (MFSA 2022-46, bsc#1204421):
 * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
 * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
 * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
 * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Thunderbird 102.4

 - Mozilla Thunderbird 102.5
 * changed: `Ctrl+N` shortcut to create new contacts from address book restored (bmo#1751288)
 * fixed: Account Settings UI did not update to reflect default identity changes (bmo#1782646)
 * fixed: New POP mail notifications were incorrectly shown for messages marked by filters as read or junk (bmo#1787531)
 * fixed: Connecting to an IMAP server configured to use `PREAUTH` caused Thunderbird to hang (bmo#1798161)
 * fixed: Error responses received in greeting header from NNTP servers did not display error message (bmo#1792281)
 * fixed: News messages sent using 'Send Later' failed to send after going back online (bmo#1794997)
 * fixed: 'Download/Sync Now...' did not completely sync all newsgroups before going offline (bmo#1795547)
 * fixed: Username was missing from error dialog on failed login to news server (bmo#1796964)
 * fixed: Thunderbird can now fetch RSS channel feeds with incomplete channel URL (bmo#1794775)
 * fixed: Add-on 'Contribute' button in Add-ons Manager did not work (bmo#1795751)
 * fixed: Help text for `/part` Matrix command was incorrect (bmo#1795578)
 * fixed: Invite Attendees dialog did not fetch free/busy info for attendees with encoded characters in their name (bmo#1797927)

 - Mozilla Thunderbird 102.4.2
 * changed: 'Address Book' button in Account Central will now create a CardDAV address book instead of a local address book (bmo#1793903)
 * fixed: Messages fetched from POP server in `Fetch headers only` mode disappeared when moved to different folder by filter action (bmo#1793374)
 * fixed: Thunderbird re-downloaded locally deleted messages from a POP server when 'Leave messages on server' and 'Until I delete them' were enabled (bmo#1796903)
 * fixed: Multiple password prompts for the same POP account could be displayed (bmo#1786920)
 * fixed: IMAP authentication failed on next startup if ImapMail folder was deleted by user (bmo#1793599)
 * fixed: Retrieving passwords for authenticated NNTP accounts could fail due to obsolete preferences in a users profile on every startup (bmo#1770594)
 * fixed: `Get Next n Messages` did not consistently fetch all messages requested from NNTP server (bmo#1794185)
 * fixed: `Get Messages` button unable to fetch messages from NNTP server if root folder not selected (bmo#1792362)
 * fixed: Thunderbird text branding did not always match locale of localized build (bmo#1786199)
 * fixed: Thunderbird installer and Thunderbird updater created Windows shortcuts with different names (bmo#1787264)
 * fixed: LDAP search filters unable to work with non-ASCII characters (bmo#1794306)
 * fixed: 'Today' highlighting in Calendar Month view did not update after date change at midnight (bmo#1795176)

 - Mozilla Thunderbird 102.4.1
 * new: Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates (bmo#1793415)
 * fixed: Dynamic language switching did not update interface when switched to right-to-left languages (bmo#1794289)
 * fixed: Custom header data was discarded after messages were saved as draft and reopened (bmo#195716)
 * fixed: `-remote` command line argument did not work, affecting integration with various applications such as LibreOffice (bmo#1793323)
 * fixed: Messages received via some SMS-to-email services could not display images (bmo#1774805)
 * fixed: VCards with nickname field set could not be edited (bmo#1793877)
 * fixed: Some recurring events were missing from Agenda on first load (bmo#1771168)
 * fixed: Download requests for remote ICS calendars incorrectly set 'Accept' header to text/xml (bmo#1793757)
 * fixed: Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month (bmo#1266797)
 * fixed: Various visual and UX improvements (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399)

 * changed: Thunderbird will automatically detect and repair OpenPGP key storage corruption caused by using the profile import tool in Thunderbird 102 (bmo#1790610)
 * fixed: POP message download into a large folder (~13000 messages) caused Thunderbird to temporarily freeze (bmo#1792675)
 * fixed: Forwarding messages with special characters in Subject failed on Windows (bmo#1782173)
 * fixed: Links for FileLink attachments were not added when attachment filename contained Unicode characters (bmo#1789589)
 * fixed: Address Book display pane continued to show contacts after deletion (bmo#1777808)
 * fixed: Printing address book did not include all contact details (bmo#1782076)
 * fixed: CardDAV contacts without a Name property did not save to Google Contacts (bmo#1792101)
 * fixed: 'Publish Calendar' did not work (bmo#1794471)
 * fixed: Calendar database storage improvements (bmo#1792124)
 * fixed: Incorrectly handled error responses from CalDAV servers sometimes caused events to disappear from calendar (bmo#1792923)
 * fixed: Various visual and UX improvements (bmo#1776093,bmo#17 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 3543)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected MozillaThunderbird, MozillaThunderbird-translations-common and / or MozillaThunderbird-translations- other packages.

See Also

https://bugzilla.suse.com/1204421

https://bugzilla.suse.com/1205270

https://www.suse.com/security/cve/CVE-2022-42927

https://www.suse.com/security/cve/CVE-2022-42928

https://www.suse.com/security/cve/CVE-2022-42929

https://www.suse.com/security/cve/CVE-2022-42932

https://www.suse.com/security/cve/CVE-2022-45403

https://www.suse.com/security/cve/CVE-2022-45404

https://www.suse.com/security/cve/CVE-2022-45405

https://www.suse.com/security/cve/CVE-2022-45406

https://www.suse.com/security/cve/CVE-2022-45408

https://www.suse.com/security/cve/CVE-2022-45409

https://www.suse.com/security/cve/CVE-2022-45410

https://www.suse.com/security/cve/CVE-2022-45411

https://www.suse.com/security/cve/CVE-2022-45412

https://www.suse.com/security/cve/CVE-2022-45416

https://www.suse.com/security/cve/CVE-2022-45418

https://www.suse.com/security/cve/CVE-2022-45420

https://www.suse.com/security/cve/CVE-2022-45421

http://www.nessus.org/u?51c75924

Plugin Details

Severity: Critical

ID: 167930

File Name: suse_SU-2022-4085-1.nasl

Version: 1.10

Type: Local

Agent: unix

Published: 11/19/2022

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-45421

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-45406

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:mozillathunderbird, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-common, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-other

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2022

Vulnerability Publication Date: 10/18/2022

Reference Information

CVE: CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421

SuSE: SUSE-SU-2022:4085-1