Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2024:4050-1)

high Nessus Plugin ID 212584

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:4050-1 advisory.

 - Mozilla Thunderbird 128.4.3
 * fixed: Folder corruption could cause Thunderbird to freeze and become unusable
 * fixed: Message corruption could be propagated when reading mbox
 * fixed: Folder compaction was not abandoned on shutdown
 * fixed: Folder compaction did not clean up on failure
 * fixed: Collapsed NNTP thread incorrectly indicated there were unread messages
 * fixed: Navigating to next unread message did not wait for all messages to be loaded
 * fixed: Applying column view to folder and children could break if folder error occurred
 * fixed: Remote content notifications were broken with encrypted messages
 * fixed: Updating criteria of a saved search resulted in poor search performance
 * fixed: Drop-downs may not work in some places
 * fixed: Security fixes MFSA 2024-61 (bsc#1233355)
 * CVE-2024-11159 Potential disclosure of plaintext in OpenPGP encrypted message

 - Mozilla Thunderbird 128.4.2
 * changed: Increased the auto-compaction threshold to reduce frequency of compaction
 * fixed: New profile creation caused console errors
 * fixed: Repair folder could result in older messages showing wrong date and time
 * fixed: Recently deleted messages could become undeleted if message compaction failed
 * fixed: Visual and UX improvements
 * fixed: Clicking on an HTML button could cause Thunderbird to freeze
 * fixed: Messages could not be selected for dragging
 * fixed: Could not open attached file in a MIME encrypted message
 * fixed: Account creation 'Setup Documentation' link was broken
 * fixed: Unable to generate QR codes when exporting to mobile in some cases
 * fixed: Operating system reauthentication was missing when exporting QR codes for mobile
 * fixed: Could not drag all-day events from one day to another in week view

 - Mozilla Thunderbird 128.4.1
 * new: Add the 20 year donation appeal

 - Mozilla Thunderbird 128.4
 * new: Export Thunderbird account settings to Thunderbird Mobile via QRCode
 * fixed: Unable to send an unencrypted response to an OpenPGP encrypted message
 * fixed: Thunderbird update did not update language pack version until another restart
 * fixed: Security fixes MFSA 2024-58 (bsc#1231879)
 * CVE-2024-10458 Permission leak via embed or object elements
 * CVE-2024-10459 Use-after-free in layout with accessibility
 * CVE-2024-10460 Confusing display of origin for external protocol handler prompt
 * CVE-2024-10461 XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
 * CVE-2024-10462 Origin of permission prompt could be spoofed by long URL
 * CVE-2024-10463 Cross origin video frame leak
 * CVE-2024-10464 History interface could have been used to cause a Denial of Service condition in the browser
 * CVE-2024-10465 Clipboard 'paste' button persisted across tabs
 * CVE-2024-10466 DOM push subscription message could hang Firefox
 * CVE-2024-10467 Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected MozillaThunderbird, MozillaThunderbird-translations-common and / or MozillaThunderbird-translations- other packages.

See Also

https://bugzilla.suse.com/1231879

https://www.suse.com/security/cve/CVE-2024-10458

https://www.suse.com/security/cve/CVE-2024-10459

https://www.suse.com/security/cve/CVE-2024-10460

https://www.suse.com/security/cve/CVE-2024-10461

https://www.suse.com/security/cve/CVE-2024-10462

https://www.suse.com/security/cve/CVE-2024-10463

https://www.suse.com/security/cve/CVE-2024-10464

https://www.suse.com/security/cve/CVE-2024-10465

https://www.suse.com/security/cve/CVE-2024-10466

https://www.suse.com/security/cve/CVE-2024-10467

https://bugzilla.suse.com/1233355

http://www.nessus.org/u?7cdae874

https://www.suse.com/security/cve/CVE-2024-11159

Plugin Details

Severity: High

ID: 212584

File Name: suse_SU-2024-4050-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/12/2024

Updated: 12/12/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-10467

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:mozillathunderbird, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-common, p-cpe:/a:novell:suse_linux:mozillathunderbird-translations-other

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/25/2024

Vulnerability Publication Date: 10/29/2024

Reference Information

CVE: CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, CVE-2024-10467, CVE-2024-11159

SuSE: SUSE-SU-2024:4050-1