{"id":"SUSE-SU-2024:1437-1","summary":"Security update for MozillaThunderbird","details":"This update for MozillaThunderbird fixes the following issues:\n\nUpdate to Mozilla Thunderbird 115.10.1\n\nSecurity fixes (MFSA 2024-20) (bsc#1222535):\n\n- CVE-2024-3852: GetBoundName in the JIT returned the wrong object (bmo#1883542) \n- CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement (bmo#1884552) \n- CVE-2024-3857: Incorrect JITting of arguments led to use-after-free during garbage collection (bmo#1886683) \n- CVE-2024-2609: Permission prompt input delay could expire when not in focus (bmo#1866100) \n- CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the OpenType sanitizer (bmo#1874489) \n- CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move (bmo#1883158) \n- CVE-2024-3863: Download Protections were bypassed by .xrm-ms files on Windows (bmo#1885855) \n- CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames (bmo#1881183, https://kb.cert.org/vuls/id/421644)\n- CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 (bmo#1888333)\n\nOther Fixes:\n  * fixed: Thunderbird processes did not exit cleanly; user\n    intervention was required via task manager (bmo#1891889)\n  * unresolved: After changing password on an IMAP account, the\n    account could become locked due to too many failed login\n    attempts (bmo#1862111)\n  * fixed: Creating a tag in General Settings with a number as\n    the tag name did not work (bmo#1881124)\n  * fixed: Quick Filter button selections did not persist after\n    restart (bmo#1847265)\n  * fixed: Collapsing and expanding message list headers\n    sometimes caused header to scroll out of view (bmo#1862197)\n  * fixed: Single message with no children inside a parent thread\n    sometimes displayed incorrectly as a thread with a duplicate\n    of itself as its child (bmo#1427546)\n  * fixed: 'Get selected messages' menu items did not work\n    (bmo#1867091)\n  * fixed: 'Download and Sync Messages' dialog was too short when\n    using Russian locale, obscuring OK button (bmo#1881795)\n  * fixed: After changing password on an IMAP account, the\n    account could become locked due to too many failed login\n    attempts (bmo#1862111)\n  * fixed: Retrieving multiline POP3 message from server failed\n    if message chunk ended in newline instead of carriage return\n    and newline (bmo#1883760)\n  * fixed: IMAP, POP3, and SMTP Exchange autoconfiguration did\n    not support encryption configuration (bmo#1876992)\n  * fixed: Non-empty address book search bar interfered with\n    displaying/editing contacts (bmo#1833031)\n  * fixed: Deleting attendees from 'Invite Attendees' view\n    removed attendees from view, but not from invite\n    (bmo#1874450)\n  * fixed: Splitter arrow between task list and task description\n    did not behave as expected (bmo#1889562)\n  * fixed: Performance improvements and code cleanup\n    (bmo#1878257,bmo#1883550)\n  * fixed: Security fixes\n  * unresolved: Thunderbird processes did not exit cleanly; user\n    intervention was required via task manager (bmo#1891889)\n","modified":"2026-02-04T02:38:36.465891Z","published":"2024-04-25T17:26:00Z","related":["CVE-2024-2609","CVE-2024-3302","CVE-2024-3852","CVE-2024-3854","CVE-2024-3857","CVE-2024-3859","CVE-2024-3861","CVE-2024-3863","CVE-2024-3864"],"upstream":["CVE-2024-2609","CVE-2024-3302","CVE-2024-3852","CVE-2024-3854","CVE-2024-3857","CVE-2024-3859","CVE-2024-3861","CVE-2024-3863","CVE-2024-3864"],"references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20241437-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222535"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-2609"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3302"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3852"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3854"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3857"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3859"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3861"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3863"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3864"}],"affected":[{"package":{"name":"MozillaThunderbird","ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP5","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"115.10.1-150200.8.157.1"}]}],"ecosystem_specific":{"binaries":[{"MozillaThunderbird-translations-other":"115.10.1-150200.8.157.1","MozillaThunderbird-translations-common":"115.10.1-150200.8.157.1","MozillaThunderbird":"115.10.1-150200.8.157.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1437-1.json"}},{"package":{"name":"MozillaThunderbird","ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP5","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"115.10.1-150200.8.157.1"}]}],"ecosystem_specific":{"binaries":[{"MozillaThunderbird-translations-other":"115.10.1-150200.8.157.1","MozillaThunderbird-translations-common":"115.10.1-150200.8.157.1","MozillaThunderbird":"115.10.1-150200.8.157.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1437-1.json"}},{"package":{"name":"MozillaThunderbird","ecosystem":"openSUSE:Leap 15.5","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"115.10.1-150200.8.157.1"}]}],"ecosystem_specific":{"binaries":[{"MozillaThunderbird-translations-other":"115.10.1-150200.8.157.1","MozillaThunderbird-translations-common":"115.10.1-150200.8.157.1","MozillaThunderbird":"115.10.1-150200.8.157.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1437-1.json"}}],"schema_version":"1.7.3"}