openSUSE Security Update: Security update for seamonkey
______________________________________________________________________________

Announcement ID: openSUSE-SU-2023:0278-1
Rating: important
References: #1207332 #1209994 #1213986
Cross-References: CVE-2023-4863
CVSS scores:
CVE-2023-4863 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-4863 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for seamonkey fixes the following issues:

update to SeaMonkey 2.53.17.1

* Upstream libwebp security fix bug 1852749.
* CVE-2023-4863: Heap buffer overflow in libwebp bug 1852649.
* Fix bad string encoded in ansi. l10n fr problem only bug 1847887.
* SeaMonkey 2.53.17 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.17 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 115.3 and
Thunderbird 115.3 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.

update to SeaMonkey 2.53.17

* Fix macOS Contacts permission request bug 1826719.
* Remove SeaMonkey 2.57 links from debugQA bug 1829683.
* Treat opening urls from the library as external bug 1619108.
* Disable spam warning for autogenerated links in plaintext messages bug
619031.
* Switch SeaMonkey build files to Python 3 bug 1635849.
* Remove empty overlays from Composer bug 1828533.
* Move xpfe autocomplete to comm-central suite bug 1418512.
* Remove nsIPrefBranch2 and nsIPrefBranchInternal bug 1374847.
* SeaMonkey 2.53.17 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.17 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 102.11 and
Thunderbird 102.11 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.

Update to SeaMonkey 2.53.16

* No throbber in plaintext editor bug 85498.
* Remove unused gridlines class from EdAdvancedEdit bug 1806632.
* Remove ESR 91 links from debugQA bug 1804534.
* Rename devtools/shim to devtools/startup bug 1812367.
* Remove unused seltype=text|cell css bug 1806653.
* Implement new shared tree styling bug 1807802.
* Use `win.focus()` in macWindowMenu.js bug 1807817.
* Remove WCAP provider bug 1579020.
* Remove ftp/file tree view support bug 1239239.
* Change calendar list tree to a list bug 1561530.
* Various other updates to the calendar code.
* Continue the switch from Python 2 to Python 3 in the build system.
* Verified compatibility with Rust 1.66.1.
* SeaMonkey 2.53.16 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.16 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 102.9 and
Thunderbird 102.9 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.

Update to SeaMonkey 2.53.15

* Microtasks and promises bug 1193394.
* Implement queueMicrotask()bug 1480236.
* Remove old synchronous contentPrefService from the tree bug 886907 and
bug 1392929.
* Remove remaining uses of 'general.useragent.locale' bug 1410736 and
bug 1410738.
* Migrate to intl.locale.requested.locale list from
'general.useragent.locale' bug 1441016.
* Introduce a pref to store BCP47 locale list bug 1414390, bug 1423532
and bug 1441026.
* Remove synchronous certificate verification APIs from nsIX509CertDB
bug 1453741 and bug 1453778.
* Taskbar preview's favicon appears blank bug 1475524.
* Call Imagelibs decodeImageAsyncWindows using a callback bug 1790695.
* Remove PermissionsService from process Windows sandboxing code bug
1788233, bug 1789782 and bug 1794394.
* Security info dialog doesn't show cert status anymore bug 1293378.
* Replace nsIPlatfromCharset in mailnews bug 1381762.
* Replace use of nsMsgI18NFileSystemCharset() with
NS_CopyUnicodeToNative/NS_CopyNativeToUnicode() bug 1506422.
* Cater for Outlook's/Hotmail's 'Deleted' folder bug 1320191.
* Make some filter methods scriptable bug 1497513.
* Fix crash in nsMsgFilterAfterTheFact::ApplyFilter() caused by async
reset of 'm_curFolder' bug 537017.
* Localize messages from nsIMsgFolder.logRuleHitFail() bug 1352731.
* Add logging of message filter runs and actions bug 697522.
* Check that we got a non-null header before running a filter on it (and
crashing) bug 1563959.
* With CONDSTORE, eliminate unneeded flag fetches at startup bug 1428097.
* Fix so custom tags (keywords) are visible to all users bug 583677.
* Improve handling of tags on shared folders bug 1596371.
* Allow setting/resetting junk marking by user for yahoo/aol to stick
bug 1260059.
* Don't check subject if spellchecker is not ready bug 1069787.
* Grammar issues in mailnews_account_settings.xhtml bug 1793291.
* Remove use of nsIMemory bug 1792578.
* Replace obsolete GetStringBundleService call in SeaMonkey bug 1794400.
* SeaMonkey crashes on MacOS Ventura 13.0 bug 1797696.
* Continue the switch from Python 2 to Python 3 in the build system.
* Added support for clang 15 and macOS SDK 11.3.
* Verified compatibility with Rust 1.65.
* SeaMonkey 2.53.15 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.15 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 102.6 and
Thunderbird 102.5 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-278=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):

seamonkey-2.53.17.1-bp155.2.3.1
seamonkey-dom-inspector-2.53.17.1-bp155.2.3.1
seamonkey-irc-2.53.17.1-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2023-4863.html
https://bugzilla.suse.com/1207332
https://bugzilla.suse.com/1209994
https://bugzilla.suse.com/1213986

openSUSE: 2023:0278-1 important: seamonkey

October 2, 2023

An update that solves one vulnerability and has two fixes is now available

Description

This update for seamonkey fixes the following issues: update to SeaMonkey 2.53.17.1 * Upstream libwebp security fix bug 1852749. * CVE-2023-4863: Heap buffer overflow in libwebp bug 1852649. * Fix bad string encoded in ansi. l10n fr problem only bug 1847887. * SeaMonkey 2.53.17 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.17 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.8.0 release notes for specific security fixes in this release. * Additional important security fixes up to Current Firefox 115.3 and Thunderbird 115.3 ESR plus many enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. update to SeaMonkey 2.53.17 * Fix macOS Contacts permission request bug 1826719. * Remove SeaMonkey 2.57 links from debugQA bug 1829683. * Treat opening urls from the library as external bug 1619108. * Disable spam warning for autogenerated links in plaintext messages bug 619031. * Switch SeaMonkey build files to Python 3 bug 1635849. * Remove empty overlays from Composer bug 1828533. * Move xpfe autocomplete to comm-central suite bug 1418512. * Remove nsIPrefBranch2 and nsIPrefBranchInternal bug 1374847. * SeaMonkey 2.53.17 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.17 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.8.0 release notes for specific security fixes in this release. * Additional important security fixes up to Current Firefox 102.11 and Thunderbird 102.11 ESR plus many enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. Update to SeaMonkey 2.53.16 * No throbber in plaintext editor bug 85498. * Remove unused gridlines class from EdAdvancedEdit bug 1806632. * Remove ESR 91 links from debugQA bug 1804534. * Rename devtools/shim to devtools/startup bug 1812367. * Remove unused seltype=text|cell css bug 1806653. * Implement new shared tree styling bug 1807802. * Use `win.focus()` in macWindowMenu.js bug 1807817. * Remove WCAP provider bug 1579020. * Remove ftp/file tree view support bug 1239239. * Change calendar list tree to a list bug 1561530. * Various other updates to the calendar code. * Continue the switch from Python 2 to Python 3 in the build system. * Verified compatibility with Rust 1.66.1. * SeaMonkey 2.53.16 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.16 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.8.0 release notes for specific security fixes in this release. * Additional important security fixes up to Current Firefox 102.9 and Thunderbird 102.9 ESR plus many enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. Update to SeaMonkey 2.53.15 * Microtasks and promises bug 1193394. * Implement queueMicrotask()bug 1480236. * Remove old synchronous contentPrefService from the tree bug 886907 and bug 1392929. * Remove remaining uses of 'general.useragent.locale' bug 1410736 and bug 1410738. * Migrate to intl.locale.requested.locale list from 'general.useragent.locale' bug 1441016. * Introduce a pref to store BCP47 locale list bug 1414390, bug 1423532 and bug 1441026. * Remove synchronous certificate verification APIs from nsIX509CertDB bug 1453741 and bug 1453778. * Taskbar preview's favicon appears blank bug 1475524. * Call Imagelibs decodeImageAsyncWindows using a callback bug 1790695. * Remove PermissionsService from process Windows sandboxing code bug 1788233, bug 1789782 and bug 1794394. * Security info dialog doesn't show cert status anymore bug 1293378. * Replace nsIPlatfromCharset in mailnews bug 1381762. * Replace use of nsMsgI18NFileSystemCharset() with NS_CopyUnicodeToNative/NS_CopyNativeToUnicode() bug 1506422. * Cater for Outlook's/Hotmail's 'Deleted' folder bug 1320191. * Make some filter methods scriptable bug 1497513. * Fix crash in nsMsgFilterAfterTheFact::ApplyFilter() caused by async reset of 'm_curFolder' bug 537017. * Localize messages from nsIMsgFolder.logRuleHitFail() bug 1352731. * Add logging of message filter runs and actions bug 697522. * Check that we got a non-null header before running a filter on it (and crashing) bug 1563959. * With CONDSTORE, eliminate unneeded flag fetches at startup bug 1428097. * Fix so custom tags (keywords) are visible to all users bug 583677. * Improve handling of tags on shared folders bug 1596371. * Allow setting/resetting junk marking by user for yahoo/aol to stick bug 1260059. * Don't check subject if spellchecker is not ready bug 1069787. * Grammar issues in mailnews_account_settings.xhtml bug 1793291. * Remove use of nsIMemory bug 1792578. * Replace obsolete GetStringBundleService call in SeaMonkey bug 1794400. * SeaMonkey crashes on MacOS Ventura 13.0 bug 1797696. * Continue the switch from Python 2 to Python 3 in the build system. * Added support for clang 15 and macOS SDK 11.3. * Verified compatibility with Rust 1.65. * SeaMonkey 2.53.15 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. * SeaMonkey 2.53.15 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.8.0 release notes for specific security fixes in this release. * Additional important security fixes up to Current Firefox 102.6 and Thunderbird 102.5 ESR plus many enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to.

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-278=1

Package List

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64): seamonkey-2.53.17.1-bp155.2.3.1 seamonkey-dom-inspector-2.53.17.1-bp155.2.3.1 seamonkey-irc-2.53.17.1-bp155.2.3.1

References

https://www.suse.com/security/cve/CVE-2023-4863.html https://bugzilla.suse.com/1207332 https://bugzilla.suse.com/1209994 https://bugzilla.suse.com/1213986