Menü Schließen

Thunderbird 102.7.0 Security und Bugfix Release

Thunderbird Logo

Der kostenlose Mailclient Thunderbird, den es für Linux, Windows und macOS gibt, erhielt das Update 102.7.0. Das Update schließt 8 Sicherheitslücken und behebt diverse Fehler.

Achtung in dieser Version 102.7.0 gibt es ein Problem mit der Authentifizierung gegen Microsoft 365 Business Accounts. Daher sollten alle die davon betroffen sind auf das nächste Bugfix Release in Version 102.7.1 warten.


OAuth2 authentication not working for Microsoft 365 Enterprise accounts. See the Blog post for additional information. Bug 1810760

Thunderbird 102.7.0 Release Notes


  • Enterprise policies now support Thunderbird-specific preferences


  • Localized builds and langpacks now use “comm-l10n” repository; downstream builds using official langpacks should not need to make changes
  • Having too many folders open at startup caused loss of MSF files
  • Copying an email from one local folder to another local folder sometimes caused “Another Operation is using the folder” error on Windows 7
  • Email address pill allowed for incorrectly formatted email addresses
  • Creating security exceptions for messages sent using a self-signed certificate failed if hostname contained uppercase letters
  • S/MIME certificate verification was prohibitively slow
  • OpenPGP key import failed for key blocks with comments that contain Unicode characters
  • Chat conversation sidebar was too wide under certain circumstances, making scrollbar unusable
  • On Mac, deleting events from Today Pane with “Backspace” key deleted selected messages instead

Thunderbird 102.7.0 Security Notes

CVE-2022-46871: libusrsctp library out of date

Reporter: Mozilla Developers
Impact: high

Description: An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.
References: Bug 1795697

#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux

Reporter:Tom Schuster
Impact: high

Description: Due to the Thunderbird GTK wrapper code’s use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData.
References: Bug 1800425

#CVE-2023-23599: Malicious command could be hidden in devtools output on Windows

Impact: moderate

Description: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within.
References: Bug 1777800

#CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation

Reporter: Luan Herrera
Impact: moderate

Description: Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks
References: Bug 1794268

#CVE-2023-23602: Content Security Policy wasn’t being correctly applied to WebSockets in WebWorkers

Reporter: Dave Vandyke
Impact: moderate

Description: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.
References: Bug 1800890

#CVE-2022-46877: Fullscreen notification bypass

Reporter: Hafiizh
Impact: low

Description: By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.
References: Bug 1795139

#CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive

Reporter:Dan Veditz
Impact: low

Description: Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren’t accounting for external URLs. Data could then be potentially exfiltrated from the browser.
References: Bug 1800832

#CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7

Reporter: Mozilla developers and community
Impact: high

Description: Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References: Memory safety bugs fixed in Thunderbird 102.7

Quelle: Thunderbird — Release Notes (102.7.0) — Thunderbird

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert