thunderbird-102.12.0-1.el9.ML.1
エラータID: AXSA:2023-6084:17
リリース日:
2023/06/20 Tuesday - 08:09
題名:
thunderbird-102.12.0-1.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Firefox および Thunderbird には、利用者の応答の遅延を悪用する
攻撃からプロンプトや許可ダイアログを保護するための機能が欠落して
いるため、リモートの攻撃者により、細工された Web ページを介して、
不正 TLS 証明書に対するエラーの無効化の誤誘導を可能とする脆弱性
が存在します。(CVE-2023-34414)
- Firefox および Thunderbird には、メモリ破壊の問題があるため、
リモートの攻撃者により、任意のコードの実行を可能とする脆弱性が
存在します。(CVE-2023-34416)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-34414
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
CVE-2023-34416
Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
追加情報:
N/A
ダウンロード:
SRPMS
- thunderbird-102.12.0-1.el9.ML.1.src.rpm
MD5: 9d1fcd2d8a79d2bf3e38d35de6d7e92b
SHA-256: 531621c8d6bab0430cf5287b1bb16de3f7c2885e373cd88f439f2fcfd0a70916
Size: 617.00 MB
Asianux Server 9 for x86_64
- thunderbird-102.12.0-1.el9.ML.1.x86_64.rpm
MD5: 1e1bf38329576d49c7e3e1701ba4582b
SHA-256: 5733f7f2f9d600e6411c9a1225bda76ee3a3535004673f3c6da3bb4314a775bf
Size: 102.48 MB
English