Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4326-1 Final 1 1 2024-12-16T13:11:14Z current 2024-12-16T13:11:14Z 2024-12-16T13:11:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: - CVE-2024-50336: Fixed insufficient MXC URI validation which could allow client-side path traversal (bsc#1234413) Other fixes: - Updated to Mozilla Thunderbird 128.5.2i (bsc#1234413): * fixed: Large virtual folders could be very slow * fixed: Message could disappear after moving from IMAP folder followed by Undo and Redo * fixed: XMPP chat did not display messages sent inside a CDATA element * fixed: Selected calendar day did not move forward at midnight * fixed: Today pane agenda sometimes scrolled for no apparent reason * fixed: CalDAV calendars without offline support could degrade start-up performance * fixed: Visual and UX improvements * fixed: Security fixes - Updated to Mozilla Thunderbird 128.5.1: * new: Add end of year donation appeal * fixed: Total message count for favorite folders did not work consistently The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-4326,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4326,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4326,SUSE-SLE-Product-WE-15-SP5-2024-4326,SUSE-SLE-Product-WE-15-SP6-2024-4326,openSUSE-SLE-15.5-2024-4326,openSUSE-SLE-15.6-2024-4326 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244326-1/ Link for SUSE-SU-2024:4326-1 https://lists.suse.com/pipermail/sle-security-updates/2024-December/020008.html E-Mail link for SUSE-SU-2024:4326-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234413 SUSE Bug 1234413 https://www.suse.com/security/cve/CVE-2024-50336/ SUSE CVE CVE-2024-50336 page SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP5 SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 MozillaThunderbird-128.5.2-150200.8.194.1 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP5 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.5 MozillaThunderbird-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 as a component of openSUSE Leap 15.6 matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1. CVE-2024-50336 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-128.5.2-150200.8.194.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.5.2-150200.8.194.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP5:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 openSUSE Leap 15.5:MozillaThunderbird-128.5.2-150200.8.194.1 openSUSE Leap 15.5:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 openSUSE Leap 15.5:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 openSUSE Leap 15.6:MozillaThunderbird-128.5.2-150200.8.194.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.5.2-150200.8.194.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.5.2-150200.8.194.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244326-1/ https://www.suse.com/security/cve/CVE-2024-50336.html CVE-2024-50336 https://bugzilla.suse.com/1234413 SUSE Bug 1234413 https://bugzilla.suse.com/1234475 SUSE Bug 1234475