Thunderbird 91.5.0 fixes various security issues

Thunderbird 91.5.0 Stable is a security update that fixes several issues in the open source email client.

The new version of Thunderbird Stable is now available. It is sent to users’ systems, provided that automatic updating has not been disabled.

Thunderbird users can run manual update checks to install the update sooner. Select Help > About Thunderbird to display the installed version and have Thunderbird run a search for updates manually. Users who do not see the menu bar must press the Alt key on the keyboard to display it.

The official release notes list only three entries: two refer to fixed issues in the email client, one links to the security advisories page, which details fixed security issues in the client.

The two non-security issues that were fixed address an RSS keyword tag display issue and a lack of information in Thunderbird’s About dialog page.

The Security Advisory page for Thunderbird 91.5 lists 14 security issues, many of which stem from code that Thunderbird shares with the Firefox web browser.

The highest severity rating of all vulnerabilities is High, second only to Critical. Here is the full list of security issues patched in the new version of Thunderbird:

1. CVE-2022-22746: Calling reportValidity could have led to a fake fullscreen window
2. CVE-2022-22743: Fake browser window using full screen mode
3. CVE-2022-22742: memory access out of bounds when inserting text in edit mode
4. CVE-2022-22741: Browser window spoofing using full screen mode
5. CVE-2022-22740: Use-after-free de ChannelEventQueue::mOwner
6. CVE-2022-22738: Heap-buffer-overflow en blendGaussianBlur
7. CVE-2022-22737: Race condition when playing audio files
8. CVE-2021-4140: iframe sandbox bypass with XSLT
9. CVE-2022-22748: spoofed origin in external protocol launch dialog
10. CVE-2022-22745: Cross-origin URL leak via security policy violation event
11. CVE-2022-22744: ‘Copy as curl’ feature in DevTools did not fully escape website controlled data, which could lead to command injection
12. CVE-2022-22747: fail to handle empty pkcs7 stream
13. CVE-2022-22739: missing limitation in external protocol start dialog
14. CVE-2022-22751: Fixed memory security bugs in Thunderbird 91.5

Now you: do you use Thunderbird? What would you like to see supported?

advertising