MozillaThunderbird-91.7.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11909 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaThunderbird-91.7.0-1.1 on GA media These are all security issues fixed in the MozillaThunderbird-91.7.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11909 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11909 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-26381/ SUSE CVE CVE-2022-26381 page https://www.suse.com/security/cve/CVE-2022-26383/ SUSE CVE CVE-2022-26383 page https://www.suse.com/security/cve/CVE-2022-26384/ SUSE CVE CVE-2022-26384 page https://www.suse.com/security/cve/CVE-2022-26386/ SUSE CVE CVE-2022-26386 page https://www.suse.com/security/cve/CVE-2022-26387/ SUSE CVE CVE-2022-26387 page https://www.suse.com/security/cve/CVE-2022-26485/ SUSE CVE CVE-2022-26485 page https://www.suse.com/security/cve/CVE-2022-26486/ SUSE CVE CVE-2022-26486 page openSUSE Tumbleweed MozillaThunderbird-91.7.0-1.1 MozillaThunderbird-translations-common-91.7.0-1.1 MozillaThunderbird-translations-other-91.7.0-1.1 MozillaThunderbird-91.7.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-common-91.7.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-other-91.7.0-1.1 as a component of openSUSE Tumbleweed An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. CVE-2022-26381 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26381.html CVE-2022-26381 https://bugzilla.suse.com/1196900 SUSE Bug 1196900 When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. CVE-2022-26383 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26383.html CVE-2022-26383 https://bugzilla.suse.com/1196900 SUSE Bug 1196900 If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. CVE-2022-26384 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26384.html CVE-2022-26384 https://bugzilla.suse.com/1196900 SUSE Bug 1196900 Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. <br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7. CVE-2022-26386 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26386.html CVE-2022-26386 https://bugzilla.suse.com/1196900 SUSE Bug 1196900 When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. CVE-2022-26387 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26387.html CVE-2022-26387 https://bugzilla.suse.com/1196900 SUSE Bug 1196900 Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. CVE-2022-26485 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26485.html CVE-2022-26485 https://bugzilla.suse.com/1196809 SUSE Bug 1196809 An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. CVE-2022-26486 openSUSE Tumbleweed:MozillaThunderbird-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-91.7.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-91.7.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26486.html CVE-2022-26486 https://bugzilla.suse.com/1196809 SUSE Bug 1196809