File _patchinfo of Package patchinfo.21500

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.21500

<patchinfo incident="21500">
  <issue tracker="bnc" id="1182863">MozillaThunderbird: plain text reformatting regression</issue>
  <issue tracker="bnc" id="1189547">VUL-0: CVE-2021-29991: MozillaFirefox,MozillaThunderbird: Header Splitting possible with HTTP/3 Responses (MFSA2021-37)</issue>
  <issue tracker="bnc" id="1190244">(CVE-2021-40529) VUL-0: CVE-2021-40529: Botan,MozillaThunderbird: ElGamal implementation allows plaintext recovery</issue>
  <issue tracker="bnc" id="1190269">VUL-0: MozillaFirefox: multiple vulnerabilities fixed in ESR 78.14, ESR 91.1, 92</issue>
  <issue tracker="bnc" id="1191332">VUL-0: MozillaFirefox / MozillaThunderbird: update to 93 and 91.2esr/78.15esr</issue>
  <issue tracker="bnc" id="1192250">VUL-0: MozillaFirefox / MozillaThunderbird: update to 94 and 91.3esr</issue>
  <issue tracker="bnc" id="1193485">VUL-0: MozillaFirefox / MozillaThunderbird: update to 95 and 91.4esr</issue>
  <issue tracker="cve" id="2021-29981"/>
  <issue tracker="cve" id="2021-29982"/>
  <issue tracker="cve" id="2021-29987"/>
  <issue tracker="cve" id="2021-29991"/>
  <issue tracker="cve" id="2021-32810"/>
  <issue tracker="cve" id="2021-38492"/>
  <issue tracker="cve" id="2021-38493"/>
  <issue tracker="cve" id="2021-38495"/>
  <issue tracker="cve" id="2021-38496"/>
  <issue tracker="cve" id="2021-38497"/>
  <issue tracker="cve" id="2021-38498"/>
  <issue tracker="cve" id="2021-38500"/>
  <issue tracker="cve" id="2021-38501"/>
  <issue tracker="cve" id="2021-38502"/>
  <issue tracker="cve" id="2021-38503"/>
  <issue tracker="cve" id="2021-38504"/>
  <issue tracker="cve" id="2021-38505"/>
  <issue tracker="cve" id="2021-38506"/>
  <issue tracker="cve" id="2021-38507"/>
  <issue tracker="cve" id="2021-38508"/>
  <issue tracker="cve" id="2021-38509"/>
  <issue tracker="cve" id="2021-38510"/>
  <issue tracker="cve" id="2021-40529"/>
  <issue tracker="cve" id="2021-43528"/>
  <issue tracker="cve" id="2021-43536"/>
  <issue tracker="cve" id="2021-43537"/>
  <issue tracker="cve" id="2021-43538"/>
  <issue tracker="cve" id="2021-43539"/>
  <issue tracker="cve" id="2021-43541"/>
  <issue tracker="cve" id="2021-43542"/>
  <issue tracker="cve" id="2021-43543"/>
  <issue tracker="cve" id="2021-43545"/>
  <issue tracker="cve" id="2021-43546"/>
  <packager>cgrobertson</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

- Update to version 91.4 MFSA 2021-54 (bsc#1193485)
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- CVE-2021-43528: JavaScript unexpectedly enabled for the composition area

- Update to version 91.3.2
- CVE-2021-40529: Fixed ElGamal implementation could allow plaintext recovery (bsc#1190244)

- Update to version 91.3 MFSA 2021-50 (bsc#1192250)
- CVE-2021-38503: Fixed iframe sandbox rules did not apply to XSLT stylesheets
- CVE-2021-38504: Fixed use-after-free in file picker dialog
- CVE-2021-38505: Fixed Windows 10 Cloud Clipboard may have recorded sensitive user data
- CVE-2021-38506: Fixed Thunderbird could be coaxed into going into fullscreen mode without notification or warning
- CVE-2021-38507: Fixed opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
- CVE-2021-38508: Fixed permission Prompt could be overlaid, resulting in user confusion and potential spoofing
- CVE-2021-38509: Fixed Javascript alert box could have been spoofed onto an arbitrary domain
- CVE-2021-38510: Fixed Download Protections were bypassed by .inetloc files on Mac OS
- Fixed plain text reformatting regression (bsc#1182863)

- Update to version 91.2 MFSA 2021-47 (bsc#1191332)
- CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT
- CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion
- CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux
- CVE-2021-32810: Data race in crossbeam-deque
- CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and Thunderbird 91.1
- CVE-2021-38496: Use-after-free in MessageTask
- CVE-2021-38497: Validation message could have been overlaid on another origin
- CVE-2021-38498: Use-after-free of nsLanguageAtomService object
- CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
- CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
- CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections

- Update to version 91.1.0 MFSA 2021-41 (bsc#1190269)
- CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
- CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1

- Update to version 91.0.1 MFSA 2021-37 (bsc#1189547)
- CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.21500

Places