Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2415-1 Final 1 1 2024-07-12T08:28:29Z current 2024-07-12T08:28:29Z 2024-07-12T08:28:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Security fixes: - CVE-2024-34703: Fixed denial of service due to overly large elliptic curve parameters in Botan (bsc#1227239) Other fixes: - Mozilla Thunderbird 115.12.1 * 115.12.0 got pulled because of upstream automation process errors and Windows installer signing changes. No code changes, changelog is the same as 115.12.0 (bsc#1226495) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2415,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-2415,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-2415,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-2415,SUSE-SLE-Product-WE-15-SP5-2024-2415,SUSE-SLE-Product-WE-15-SP6-2024-2415,openSUSE-SLE-15.5-2024-2415,openSUSE-SLE-15.6-2024-2415 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242415-1/ Link for SUSE-SU-2024:2415-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018939.html E-Mail link for SUSE-SU-2024:2415-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1226495 SUSE Bug 1226495 https://bugzilla.suse.com/1227239 SUSE Bug 1227239 https://www.suse.com/security/cve/CVE-2024-34703/ SUSE CVE CVE-2024-34703 page SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 MozillaThunderbird-115.12.2-150200.8.168.1 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 as a component of openSUSE Leap 15.6 Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan. CVE-2024-34703 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-115.12.2-150200.8.168.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-115.12.2-150200.8.168.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 openSUSE Leap 15.5:MozillaThunderbird-115.12.2-150200.8.168.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 openSUSE Leap 15.6:MozillaThunderbird-115.12.2-150200.8.168.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-115.12.2-150200.8.168.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-115.12.2-150200.8.168.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242415-1/ https://www.suse.com/security/cve/CVE-2024-34703.html CVE-2024-34703 https://bugzilla.suse.com/1227238 SUSE Bug 1227238