Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0982-1 Final 1 1 2020-07-17T16:30:17Z current 2020-07-17T16:30:17Z 2020-07-17T16:30:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird to version 68.10.0 ESR fixes the following issues: - CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576). - CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576). - CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576). - CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576). - CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-982 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ E-Mail link for openSUSE-SU-2020:0982-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://www.suse.com/security/cve/CVE-2020-12417/ SUSE CVE CVE-2020-12417 page https://www.suse.com/security/cve/CVE-2020-12418/ SUSE CVE CVE-2020-12418 page https://www.suse.com/security/cve/CVE-2020-12419/ SUSE CVE CVE-2020-12419 page https://www.suse.com/security/cve/CVE-2020-12420/ SUSE CVE CVE-2020-12420 page https://www.suse.com/security/cve/CVE-2020-12421/ SUSE CVE CVE-2020-12421 page openSUSE Leap 15.2 MozillaThunderbird-68.10.0-lp152.2.4.1 MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 MozillaThunderbird-68.10.0-lp152.2.4.1 as a component of openSUSE Leap 15.2 MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 as a component of openSUSE Leap 15.2 MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 as a component of openSUSE Leap 15.2 Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12417 openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ https://www.suse.com/security/cve/CVE-2020-12417.html CVE-2020-12417 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12418 openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ https://www.suse.com/security/cve/CVE-2020-12418.html CVE-2020-12418 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12419 openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ https://www.suse.com/security/cve/CVE-2020-12419.html CVE-2020-12419 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12420 openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ https://www.suse.com/security/cve/CVE-2020-12420.html CVE-2020-12420 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230 When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. CVE-2020-12421 openSUSE Leap 15.2:MozillaThunderbird-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-common-68.10.0-lp152.2.4.1 openSUSE Leap 15.2:MozillaThunderbird-translations-other-68.10.0-lp152.2.4.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/42LJZ4E7FAWVTKPVLPQEJB45C3YAMRAT/ https://www.suse.com/security/cve/CVE-2020-12421.html CVE-2020-12421 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230