Lucene search

K
almalinuxAlmaLinuxALSA-2024:0001
HistoryJan 02, 2024 - 12:00 a.m.

Important: thunderbird security update

2024-01-0200:00:00
errata.almalinux.org
13
mozilla
thunderbird
security
update
cve-2023-6856
cve-2023-6864
cve-2023-50761
s/mime
openpgp
sandbox escape
unix
cvss score

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.4%

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

  • Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)
  • Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)
  • Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)
  • Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)
  • Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)
  • Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)
  • Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)
  • Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)
  • Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)
  • Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)
  • Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.4%