Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1858-1 Final 1 1 2024-05-30T12:13:47Z current 2024-05-30T12:13:47Z 2024-05-30T12:13:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Update to version 115.11 (bsc#1224056): - CVE-2024-4367: Arbitrary JavaScript execution in PDF.js - CVE-2024-4767: IndexedDB files retained in private browsing mode - CVE-2024-4768: Potential permissions request bypass via clickjacking - CVE-2024-4769: Cross-origin responses could be distinguished between script and non-script content-types - CVE-2024-4770: Use-after-free could occur when printing to PDF - CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 - fixed: Splitter arrow between task list and task description did not behave as expected - fixed: Calendar Event Attendees dialog had incorrectly sized rows The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1858,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1858,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1858,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-1858,SUSE-SLE-Product-WE-15-SP5-2024-1858,SUSE-SLE-Product-WE-15-SP6-2024-1858,openSUSE-SLE-15.5-2024-1858,openSUSE-SLE-15.6-2024-1858 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ Link for SUSE-SU-2024:1858-1 https://lists.suse.com/pipermail/sle-security-updates/2024-August/019264.html E-Mail link for SUSE-SU-2024:1858-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224056 SUSE Bug 1224056 https://www.suse.com/security/cve/CVE-2024-4367/ SUSE CVE CVE-2024-4367 page https://www.suse.com/security/cve/CVE-2024-4767/ SUSE CVE CVE-2024-4767 page https://www.suse.com/security/cve/CVE-2024-4768/ SUSE CVE CVE-2024-4768 page https://www.suse.com/security/cve/CVE-2024-4769/ SUSE CVE CVE-2024-4769 page https://www.suse.com/security/cve/CVE-2024-4770/ SUSE CVE CVE-2024-4770 page https://www.suse.com/security/cve/CVE-2024-4777/ SUSE CVE CVE-2024-4777 page SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 MozillaThunderbird-115.11.0-150200.8.160.1 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 as a component of openSUSE Leap 15.6 A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4367 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4367.html CVE-2024-4367 https://bugzilla.suse.com/1224056 SUSE Bug 1224056 If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4767 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4767.html CVE-2024-4767 https://bugzilla.suse.com/1224056 SUSE Bug 1224056 A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4768 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4768.html CVE-2024-4768 https://bugzilla.suse.com/1224056 SUSE Bug 1224056 When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4769 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4769.html CVE-2024-4769 https://bugzilla.suse.com/1224056 SUSE Bug 1224056 When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4770 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4770.html CVE-2024-4770 https://bugzilla.suse.com/1224056 SUSE Bug 1224056 Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. CVE-2024-4777 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.11.0-150200.8.160.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.11.0-150200.8.160.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241858-1/ https://www.suse.com/security/cve/CVE-2024-4777.html CVE-2024-4777 https://bugzilla.suse.com/1224056 SUSE Bug 1224056