Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:4334-1 Final 1 1 2022-12-06T15:02:06Z current 2022-12-06T15:02:06Z 2022-12-06T15:02:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Update to version 102.5.1: - CVE-2022-45414: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content (bsc#1205941). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-4334,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-4334,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4334,SUSE-SLE-Product-WE-15-SP3-2022-4334,SUSE-SLE-Product-WE-15-SP4-2022-4334,openSUSE-SLE-15.3-2022-4334,openSUSE-SLE-15.4-2022-4334 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20224334-1/ Link for SUSE-SU-2022:4334-1 https://lists.suse.com/pipermail/sle-security-updates/2022-December/013195.html E-Mail link for SUSE-SU-2022:4334-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205941 SUSE Bug 1205941 https://www.suse.com/security/cve/CVE-2022-45414/ SUSE CVE CVE-2022-45414 page SUSE Linux Enterprise Module for Package Hub 15 SP3 SUSE Linux Enterprise Module for Package Hub 15 SP4 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 MozillaThunderbird-102.5.1-150200.8.93.1 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP3 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP4 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.4 MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.4 MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 as a component of openSUSE Leap 15.4 If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1. CVE-2022-45414 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-102.5.1-150200.8.93.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 SUSE Linux Enterprise Module for Package Hub 15 SP3:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-102.5.1-150200.8.93.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 SUSE Linux Enterprise Workstation Extension 15 SP4:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 openSUSE Leap 15.3:MozillaThunderbird-102.5.1-150200.8.93.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 openSUSE Leap 15.4:MozillaThunderbird-102.5.1-150200.8.93.1 openSUSE Leap 15.4:MozillaThunderbird-translations-common-102.5.1-150200.8.93.1 openSUSE Leap 15.4:MozillaThunderbird-translations-other-102.5.1-150200.8.93.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224334-1/ https://www.suse.com/security/cve/CVE-2022-45414.html CVE-2022-45414 https://bugzilla.suse.com/1205941 SUSE Bug 1205941