Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3664-1 advisory.
Security fixes:
- Mozilla Thunderbird 115.2.2 (MFSA 2023-40, bsc#1215245)
- CVE-2023-4863: Fixed heap buffer overflow in libwebp (bmo#1852649).
- Mozilla Thunderbird 115.2 (MFSA 2023-38, bsc#1214606)
- CVE-2023-4573: Memory corruption in IPC CanvasTranslator (bmo#1846687)
- CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback (bmo#1846688)
- CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback (bmo#1846689)
- CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation (bmo#1846694)
- CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics (bmo#1847397)
- CVE-2023-4051: Full screen notification obscured by file open dialog (bmo#1821884)
- CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception (bmo#1839007)
- CVE-2023-4053: Full screen notification obscured by external program (bmo#1839079)
- CVE-2023-4580: Push notifications saved to disk unencrypted (bmo#1843046)
- CVE-2023-4581: XLL file extensions were downloadable without warnings (bmo#1843758)
- CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv (bmo#1773874)
- CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window (bmo#1842030)
- CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529)
- CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999)
Other fixes:
Mozilla Thunderbird 115.2.1
* new: Column separators are now shown between all columns in tree view (bmo#1847441)
* fixed: Crash reporter did not work in Thunderbird Flatpak (bmo#1843102)
* fixed: New mail notification always opened message in message pane, even if pane was disabled (bmo#1840092)
* fixed: After moving an IMAP message to another folder, the incorrect message was selected in the message list (bmo#1845376)
* fixed: Adding a tag to an IMAP message opened in a tab failed (bmo#1844452)
* fixed: Junk/Spam folders were not always shown in Unified Folders mode (bmo#1838672)
* fixed: Middle-clicking a folder or message did not open it in a background tab, as in previous versions (bmo#1842482)
* fixed: Settings tab visual improvements: Advanced Fonts dialog, Section headers hidden behind search box (bmo#1717382,bmo#1846751)
* fixed: Various visual and style fixes (bmo#1843707,bmo#1849823)
Mozilla Thunderbird 115.2
* new: Thunderbird MSIX packages are now published on archive.mozilla.org (bmo#1817657)
* changed: Size, Unread, and Total columns are now right- aligned (bmo#1848604)
* changed: Newsgroup names in message list header are now abbreviated (bmo#1833298)
* fixed: Message compose window did not apply theme colors to menus (bmo#1845699)
* fixed: Reading the second new message in a folder cleared the unread indicator of all other new messages (bmo#1839805)
* fixed: Displayed counts of unread or flagged messages could become out-of-sync (bmo#1846860)
* fixed: Deleting a message from the context menu with messages sorted in chronological order and smooth scroll enabled caused message list to scroll to top (bmo#1843462)
* fixed: Repeatedly switching accounts in Subscribe dialog caused tree view to stop updating (bmo#1845593)
* fixed: 'Ignore thread' caused message cards to display incorrectly in message list (bmo#1847966)
* fixed: Creating tags from unified toolbar failed (bmo#1846336)
* fixed: Cross-folder navigation using F and N did not work (bmo#1845011)
* fixed: Account Manager did not resize to fit content, causing 'Close' button to become hidden outside bounds of dialog when too many accounts were listed (bmo#1847555)
* fixed: Remote content exceptions could not be added in Settings (bmo#1847576)
* fixed: Newsgroup list file did not get updated after adding a new NNTP server (bmo#1845464)
* fixed: 'Download all headers' option in NNTP 'Download Headers' dialog was incorrectly selected by default (bmo#1845457)
* fixed: 'Convert to event/task' was missing from mail context menu (bmo#1817705)
* fixed: Events and tasks were not shown in some cases despite being present on remote server (bmo#1827100)
* fixed: Various visual and UX improvements (bmo#1844244,bmo#1845645)
- Mozilla Thunderbird 115.1.1
* fixed: Some HTML emails printed headers on first page and message on subsequent pages (bmo#1843628)
* fixed: Deleting messages from message list sometimes scrolled list to bottom, selecting bottommost message (bmo#1835173)
* fixed: Width of icon columns (like Junk or Starred) in message list did not adjust when UI density was changed (bmo#1843014)
* fixed: Old OpenPGP secret keys could not be used to decrypt messages under certain circumstances (bmo#1835786)
* fixed: When multiple folder modes were active, tab focus navigated through all folder mode options before reaching message list (bmo#1842060)
* fixed: Unread message count badge was not displayed on parent folders of subfolder containing unread messages (bmo#1844534)
* fixed: 'Undo archive' (via Ctrl-Z) did not un-archive previously archived messages (bmo#1829340)
* fixed: 'New' button dropdown menu in 'Message Filters' dialog could not be opened via keyboard navigation (bmo#1843511)
* fixed: 'Show New Mail Alert for' input field in 'Customize New Mail Alert' dialog had zero width when using certain language packs (bmo#1845832)
* fixed: 'Account Wizard' dialog was too narrow when adding a news server, partially hiding confirmation buttons (bmo#1846588)
* fixed: Link Properties and Image Properties dialogs in the composer were too wide (bmo#1816850)
* fixed: Thunderbird version number and details in 'About' dialog were not automatically read by screen readers when first opening dialog (bmo#1847078)
* fixed: Flatpak improvements and bug fixes (bmo#1825399,bmo#1843094,bmo#1843097)
* fixed: Various visual and UX improvements (bmo#1846262)
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected MozillaThunderbird, MozillaThunderbird-translations-common and / or MozillaThunderbird-translations- other packages.
Plugin Details
File Name: suse_SU-2023-3664-1.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:mozillathunderbird, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-common, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-other
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 9/18/2023
Vulnerability Publication Date: 8/1/2023
CISA Known Exploited Vulnerability Due Dates: 10/4/2023
Reference Information
CVE: CVE-2023-4051, CVE-2023-4053, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4582, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-4863
SuSE: SUSE-SU-2023:3664-1