thunderbird-115.9.0-1.el9_3.ML.1

エラータID: AXSA:2024-7671:09

Release date: 
Thursday, April 11, 2024 - 17:54
Subject: 
thunderbird-115.9.0-1.el9_3.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.9.0.

Security Fix(es):

* nss: timing attack against RSA decryption (CVE-2023-5388)
* Mozilla: Crash in NSS TLS method (CVE-2024-0743)
* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)
* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)
* Mozilla: Integer overflow could have led to out of bounds write

(CVE-2024-2608)

* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage

(CVE-2024-2610)

* Mozilla: Clickjacking vulnerability could have led to a user accidentally

granting permissions (CVE-2024-2611)

* Mozilla: Self referencing object could have potentially led to a

use-after-free (CVE-2024-2612)

* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and

Thunderbird 115.9 (CVE-2024-2614)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-5388
NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-0743
An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-1936
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
CVE-2024-2607
Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-2608
`AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-2610
Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-2611
A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-2612
If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVE-2024-2614
Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-115.9.0-1.el9_3.ML.1.src.rpm
    MD5: a969e4d09f8ee20f4e7e47d47c1dd5f6
    SHA-256: e05d98e1b8247d0a973654f1a7c4a38511b8307f07531cc6613c460e3ba6f356
    Size: 705.71 MB

Asianux Server 9 for x86_64
  1. thunderbird-115.9.0-1.el9_3.ML.1.x86_64.rpm
    MD5: 27045dd4cd1ea6c9fc16b9b3c80555b2
    SHA-256: 6998e3f73230858d0cbd4610041b6c795836273ba0bc616c3c3c55dace5ae0f4
    Size: 107.92 MB