JARVIS
Der kostenlose Mailclient Thunderbird, den es für Linux, Windows und macOS gibt, erhielt das Update 102.7.0. Das Update schließt 8 Sicherheitslücken und behebt diverse Fehler.
Achtung in dieser Version 102.7.0 gibt es ein Problem mit der Authentifizierung gegen Microsoft 365 Business Accounts. Daher sollten alle die davon betroffen sind auf das nächste Bugfix Release in Version 102.7.1 warten.
UNRESOLVED
OAuth2 authentication not working for Microsoft 365 Enterprise accounts. See the Blog post for additional information. Bug 1810760
Thunderbird 102.7.0 Release Notes
NEW
- Enterprise policies now support Thunderbird-specific preferences
FIXED
- Localized builds and langpacks now use „comm-l10n“ repository; downstream builds using official langpacks should not need to make changes
- Having too many folders open at startup caused loss of MSF files
- Copying an email from one local folder to another local folder sometimes caused „Another Operation is using the folder“ error on Windows 7
- Email address pill allowed for incorrectly formatted email addresses
- Creating security exceptions for messages sent using a self-signed certificate failed if hostname contained uppercase letters
- S/MIME certificate verification was prohibitively slow
- OpenPGP key import failed for key blocks with comments that contain Unicode characters
- Chat conversation sidebar was too wide under certain circumstances, making scrollbar unusable
- On Mac, deleting events from Today Pane with „Backspace“ key deleted selected messages instead
Thunderbird 102.7.0 Security Notes
CVE-2022-46871: libusrsctp library out of date
Reporter: Mozilla Developers
Impact: high
Description: An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.
References: Bug 1795697
#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
Reporter:Tom Schuster
Impact: high
Description: Due to the Thunderbird GTK wrapper code’s use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData.
References: Bug 1800425
#CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
Reporter:Vadim
Impact: moderate
Description: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within.
References: Bug 1777800
#CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
Reporter: Luan Herrera
Impact: moderate
Description: Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks
References: Bug 1794268
#CVE-2023-23602: Content Security Policy wasn’t being correctly applied to WebSockets in WebWorkers
Reporter: Dave Vandyke
Impact: moderate
Description: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.
References: Bug 1800890
#CVE-2022-46877: Fullscreen notification bypass
Reporter: Hafiizh
Impact: low
Description: By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.
References: Bug 1795139
#CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
Reporter:Dan Veditz
Impact: low
Description: Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren’t accounting for external URLs. Data could then be potentially exfiltrated from the browser.
References: Bug 1800832
#CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
Reporter: Mozilla developers and community
Impact: high
Description: Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References: Memory safety bugs fixed in Thunderbird 102.7
Quelle: Thunderbird — Release Notes (102.7.0) — Thunderbird
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.