openSUSE Security Update: Security update for MozillaThunderbird

Announcement ID:    openSUSE-SU-2020:2096-1
Rating:             important
References:         #1178894 
Cross-References:   CVE-2020-15999 CVE-2020-16012 CVE-2020-26951
                    CVE-2020-26953 CVE-2020-26956 CVE-2020-26958
                    CVE-2020-26959 CVE-2020-26960 CVE-2020-26961
                    CVE-2020-26965 CVE-2020-26966 CVE-2020-26968
Affected Products:
                    openSUSE Leap 15.2

   An update that fixes 12 vulnerabilities is now available.


   This update for MozillaThunderbird fixes the following issues:

   - Mozilla Thunderbird 78.5.0
     * new: OpenPGP: Added option to disable attaching the public key to a
       signed message (bmo#1654950)
     * new: MailExtensions: "compose_attachments" context added to Menus API
     * new: MailExtensions: Menus API now available on displayed messages
     * changed: MailExtensions: browser.tabs.create will now wait for
       "mail-delayed-startup-finished" event (bmo#1674407)
     * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851)
     * fixed: OpenPGP: Message security dialog showed unverified keys as
       unavailable (bmo#1675285)
     * fixed: Chat: New chat contact menu item did not function (bmo#1663321)
     * fixed: Various theme and usability improvements (bmo#1673861)
     * fixed: Various security fixes MFSA 2020-52 (bsc#1178894)
     * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and
       bypass security sanitizer for chrome privileged code
     * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin
       images during drawImage calls
     * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without
       displaying the security UI
     * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard
     * CVE-2020-26958 (bmo#1669355) Requests intercepted through
       ServiceWorkers lacked MIME type restrictions
     * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
     * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of
     * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
     * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP
     * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered
       typed passwords
     * CVE-2020-26966 (bmo#1663571) Single-word search queries were also
       broadcast to local network
     * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739,
       bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs
       fixed in Thunderbird 78.5

   - Mozilla Thunderbird 78.4.3
     * fixed: User interface was inconsistent when switching from the default
       theme to the dark theme and back to the default theme (bmo#1659282)
     * fixed: Email subject would disappear when hovering over it with the
       mouse when using Windows 7 Classic theme (bmo#1675970)

   This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2020-2096=1

Package List:

   - openSUSE Leap 15.2 (x86_64):


openSUSE Security Announce mailing list -- [email protected]
To unsubscribe, email [email protected]
List Netiquette:
List Archives:[email protected]