thunderbird-102.11.0-1.el8.ML.1

エラータID: AXSA:2023-6153:18

Release date: 
Wednesday, June 28, 2023 - 04:25
Subject: 
thunderbird-102.11.0-1.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.11.0.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups (CVE-2023-32205)
* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)
* Mozilla: Potential permissions request bypass via clickjacking (CVE-2023-32207)
* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 (CVE-2023-32215)
* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)
* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)
* Mozilla: Potential memory corruption in FileReader::DoReadData() (CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-32205
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32206
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32207
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32211
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32212
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32213
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-32215
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2023-32205
In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32206
An out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32207
A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32211
A type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32212
An attacker could have positioned a datalist element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32213
When reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
CVE-2023-32215
Memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.
Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-102.11.0-1.el8.ML.1.src.rpm
    MD5: 7b3df6421e1b5c4874df017adb1b6dc0
    SHA-256: 79a3c70d00837caa723ba6e6de2239d0d2bcfcc4ee820d0b54fe35f386e84228
    Size: 616.52 MB

Asianux Server 8 for x86_64
  1. thunderbird-102.11.0-1.el8.ML.1.x86_64.rpm
    MD5: 775290327143889a49e4957765cfcd98
    SHA-256: 2c029c220b97f55bdbfed3e6c15ef61876924fc0682463f3449445ce80b03e14
    Size: 104.96 MB