Bug 1176899 - VUL-0: CVE-2020-15677, CVE-2020-15676, CVE-2020-15678, CVE-2020-15673: MozillaThunderbird: Update to 78.3.0
VUL-0: CVE-2020-15677, CVE-2020-15676, CVE-2020-15678, CVE-2020-15673: Mozill...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Martin Sirringhaus
Security Team bot
https://smash.suse.de/issue/268134/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-24 08:04 UTC by Wolfgang Frisch
Modified: 2020-10-31 14:15 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-09-24 08:04:38 UTC
https://ftp.mozilla.org/pub/thunderbird/releases/78.3.0/

Release notes pending.
Comment 1 Martin Sirringhaus 2020-09-24 13:48:32 UTC
Note: Due to possibly disruptive changes upstream (*), we decided to first update Tumbleweed and let it settle there for a week or two. Then update SLE/Leap.

(*) Removal of support for system gpg-integration and introduction of Thunderbirds own keyring and openpgp-implementation.
Comment 2 Wolfgang Frisch 2020-09-24 16:11:32 UTC
Mozilla Foundation Security Advisory 2020-44
Security Vulnerabilities fixed in Thunderbird 78.3

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

CVE-2020-15677: Download origin spoofing via redirect
CVE-2020-15676: XSS when pasting attacker-controlled data into a contenteditable element
CVE-2020-15678: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
Comment 6 Swamp Workflow Management 2020-10-29 20:17:47 UTC
SUSE-SU-2020:3091-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1174230,1176384,1176756,1176899,1177977
CVE References: CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.4.0-3.99.1
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-78.4.0-3.99.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    mozilla-nspr-4.25.1-3.15.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mozilla-nspr-4.25.1-3.15.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-10-31 02:14:52 UTC
openSUSE-SU-2020:1780-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1174230,1176384,1176756,1176899,1177977
CVE References: CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-78.4.0-lp152.2.13.1, mozilla-nspr-4.25.1-lp152.2.3.1
Comment 8 Swamp Workflow Management 2020-10-31 14:15:07 UTC
openSUSE-SU-2020:1785-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1174230,1176384,1176756,1176899,1177977
CVE References: CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-78.4.0-lp151.2.53.1, mozilla-nspr-4.25.1-lp151.2.13.1