Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2874-1 Final 1 1 2021-08-30T13:54:38Z current 2021-08-30T13:54:38Z 2021-08-30T13:54:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Update to version 78.13 (MFSA 2021-35, bsc#1188891) - CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption - CVE-2021-29988: Memory corruption as a result of incorrect style treatment - CVE-2021-29984: Incorrect instruction reordering during JIT optimization - CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption - CVE-2021-29985: Use-after-free media channels - CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2874 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ E-Mail link for openSUSE-SU-2021:2874-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188891 SUSE Bug 1188891 https://www.suse.com/security/cve/CVE-2021-29980/ SUSE CVE CVE-2021-29980 page https://www.suse.com/security/cve/CVE-2021-29984/ SUSE CVE CVE-2021-29984 page https://www.suse.com/security/cve/CVE-2021-29985/ SUSE CVE CVE-2021-29985 page https://www.suse.com/security/cve/CVE-2021-29986/ SUSE CVE CVE-2021-29986 page https://www.suse.com/security/cve/CVE-2021-29988/ SUSE CVE CVE-2021-29988 page https://www.suse.com/security/cve/CVE-2021-29989/ SUSE CVE CVE-2021-29989 page openSUSE Leap 15.3 MozillaThunderbird-78.13.0-8.36.1 MozillaThunderbird-translations-common-78.13.0-8.36.1 MozillaThunderbird-translations-other-78.13.0-8.36.1 MozillaThunderbird-78.13.0-8.36.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-common-78.13.0-8.36.1 as a component of openSUSE Leap 15.3 MozillaThunderbird-translations-other-78.13.0-8.36.1 as a component of openSUSE Leap 15.3 Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29980 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29980.html CVE-2021-29980 Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29984 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29984.html CVE-2021-29984 A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29985 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29985.html CVE-2021-29985 A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29986 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29986.html CVE-2021-29986 Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29988 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29988.html CVE-2021-29988 Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91. CVE-2021-29989 openSUSE Leap 15.3:MozillaThunderbird-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.13.0-8.36.1 openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.13.0-8.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVP63YNT47WLZX6UE7WUKUN3AIGLJGWZ/ https://www.suse.com/security/cve/CVE-2021-29989.html CVE-2021-29989