thunderbird-102.10.0-2.el8.ML.1

エラータID: AXSA:2023-5300:14

Release date: 
Tuesday, April 18, 2023 - 09:40
Subject: 
thunderbird-102.10.0-2.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.10.0.

Security Fix(es):

* Thunderbird: Revocation status of S/Mime recipient certificates was not
checked (CVE-2023-0547)
* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service
attack (CVE-2023-28427)
* Mozilla: Fullscreen notification obscured (CVE-2023-29533)
* Mozilla: Potential Memory Corruption following Garbage Collector compaction
(CVE-2023-29535)
* Mozilla: Invalid free from JavaScript code (CVE-2023-29536)
* Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
(CVE-2023-29550)
* Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)
* Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)
* Mozilla: Content-Disposition filename truncation leads to Reflected File
Download (CVE-2023-29539)
* Mozilla: Files with malicious extensions could have been downloaded unsafely
on Linux (CVE-2023-29541)
* Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)
* MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp (BZ#2186102)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2023-0547
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-1945
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-28427
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript.
In versions prior to 24.0.0 events sent with special strings in key places can
temporarily disrupt or impede the matrix-js-sdk from functioning properly,
potentially impacting the consumer's ability to process data safely. Note that
the matrix-js-sdk can appear to be operating normally but be excluding or
corrupting runtime data presented to the consumer. This vulnerability is
distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has
been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are
no known workarounds for this vulnerability.
CVE-2023-29479
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29533
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29535
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29536
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29539
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29541
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29548
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29550
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-102.10.0-2.el8.ML.1.src.rpm
    MD5: dc163dca5aef74c92bee91990b627809
    SHA-256: 2d18ae7800b43bdc2d4bb7b3d60b69b201c3df78aa17043039cbe7dadb916d0c
    Size: 616.94 MB

Asianux Server 8 for x86_64
  1. thunderbird-102.10.0-2.el8.ML.1.x86_64.rpm
    MD5: 6d0ffce13c5feb4dc7265d0c290caf04
    SHA-256: 4c3355acec8a3d0dd47722054bd74e67c3302254205d958f660ed6545b2bf0fc
    Size: 105.02 MB