thunderbird-102.10.0-2.el9.ML.1

エラータID: AXSA:2023-5301:15

Release date: 
Tuesday, April 18, 2023 - 09:55
Subject: 
thunderbird-102.10.0-2.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.10.0.

Security Fix(es):

* Thunderbird: Revocation status of S/Mime recipient certificates was not
checked (CVE-2023-0547)
* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service
attack (CVE-2023-28427)
* Mozilla: Fullscreen notification obscured (CVE-2023-29533)
* Mozilla: Potential Memory Corruption following Garbage Collector compaction
(CVE-2023-29535)
* Mozilla: Invalid free from JavaScript code (CVE-2023-29536)
* Mozilla: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
(CVE-2023-29550)
* Mozilla: Memory Corruption in Safe Browsing Code (CVE-2023-1945)
* Thunderbird: Hang when processing certain OpenPGP messages (CVE-2023-29479)
* Mozilla: Content-Disposition filename truncation leads to Reflected File
Download (CVE-2023-29539)
* Mozilla: Files with malicious extensions could have been downloaded unsafely
on Linux (CVE-2023-29541)
* Mozilla: Incorrect optimization result on ARM64 (CVE-2023-29548)
* MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp (BZ#2186102)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2023-0547
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-1945
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-28427
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript.
In versions prior to 24.0.0 events sent with special strings in key places can
temporarily disrupt or impede the matrix-js-sdk from functioning properly,
potentially impacting the consumer's ability to process data safely. Note that
the matrix-js-sdk can appear to be operating normally but be excluding or
corrupting runtime data presented to the consumer. This vulnerability is
distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has
been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are
no known workarounds for this vulnerability.
CVE-2023-29479
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29533
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29535
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29536
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29539
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29541
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29548
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2023-29550
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-102.10.0-2.el9.ML.1.src.rpm
    MD5: e6d0418bf259866819efa722e49ae71d
    SHA-256: 285acdfb312b10447c0428e48b766d62d852da9daccb418431f53ac49cd6ba51
    Size: 616.94 MB

Asianux Server 9 for x86_64
  1. thunderbird-102.10.0-2.el9.ML.1.x86_64.rpm
    MD5: c27d6696adfe10f5d55c51157e874dfe
    SHA-256: d65dc0000717c3ff3785af8b518e3f2729736c47897daa77ad17f4aeba376e89
    Size: 102.50 MB