Der kostenlose Mailclient Thunderbird, den es für Linux, Windows und macOS gibt, erhielt das Update 102.7.0. Das Update schließt 8 Sicherheitslücken und behebt diverse Fehler.
Achtung in dieser Version 102.7.0 gibt es ein Problem mit der Authentifizierung gegen Microsoft 365 Business Accounts. Daher sollten alle die davon betroffen sind auf das nächste Bugfix Release in Version 102.7.1 warten.
OAuth2 authentication not working for Microsoft 365 Enterprise accounts. See the Blog post for additional information. Bug 1810760
Thunderbird 102.7.0 Release Notes
- Enterprise policies now support Thunderbird-specific preferences
- Localized builds and langpacks now use “comm-l10n” repository; downstream builds using official langpacks should not need to make changes
- Having too many folders open at startup caused loss of MSF files
- Copying an email from one local folder to another local folder sometimes caused “Another Operation is using the folder” error on Windows 7
- Email address pill allowed for incorrectly formatted email addresses
- Creating security exceptions for messages sent using a self-signed certificate failed if hostname contained uppercase letters
- S/MIME certificate verification was prohibitively slow
- OpenPGP key import failed for key blocks with comments that contain Unicode characters
- Chat conversation sidebar was too wide under certain circumstances, making scrollbar unusable
- On Mac, deleting events from Today Pane with “Backspace” key deleted selected messages instead
Thunderbird 102.7.0 Security Notes
CVE-2022-46871: libusrsctp library out of date
Reporter: Mozilla Developers
Description: An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.
References: Bug 1795697
#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
Description: Due to the Thunderbird GTK wrapper code’s use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to
References: Bug 1800425
#CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
Description: When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within.
References: Bug 1777800
#CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
Reporter: Luan Herrera
Description: Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks
References: Bug 1794268
#CVE-2023-23602: Content Security Policy wasn’t being correctly applied to WebSockets in WebWorkers
Reporter: Dave Vandyke
Description: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.
References: Bug 1800890
#CVE-2022-46877: Fullscreen notification bypass
Description: By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.
References: Bug 1795139
#CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive
Description: Regular expressions used to filter out forbidden properties and values from style directives in calls to
console.log weren’t accounting for external URLs. Data could then be potentially exfiltrated from the browser.
References: Bug 1800832
#CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
Reporter: Mozilla developers and community