Описание
Security update for MozillaThunderbird
This update for MozillaThunderbird fixes the following issues:
Security fixes:
- CVE-2024-34703: Fixed denial of service due to overly large elliptic curve parameters in Botan (bsc#1227239)
Other fixes:
- Mozilla Thunderbird 115.12.1
- 115.12.0 got pulled because of upstream automation process errors and Windows installer signing changes. No code changes, changelog is the same as 115.12.0 (bsc#1226495)
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP5
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Workstation Extension 15 SP5
SUSE Linux Enterprise Workstation Extension 15 SP6
openSUSE Leap 15.5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2024:2415-1
- E-Mail link for SUSE-SU-2024:2415-1
- SUSE Security Ratings
- SUSE Bug 1226495
- SUSE Bug 1227239
- SUSE CVE CVE-2024-34703 page
Описание
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.
Затронутые продукты
Ссылки
- CVE-2024-34703
- SUSE Bug 1227238