Lucene search

K

AmazonALAS-2023-2334

HistoryNov 09, 2023 - 7:19 p.m.

Important: thunderbird

2023-11-0919:19:00

alas.aws.amazon.com

5

mozilla

thunderbird

security advisory

cve-2023-5721

cve-2023-5724

cve-2023-5725

cve-2023-5728

cve-2023-5730

cve-2023-5732

memory safety bugs

webextension

crash

exploitable code

garbage collection

sensitive user data

address bar spoofing

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.2%

Issue Overview:

The Mozilla Foundation Security Advisory describes this flaw as:

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. (CVE-2023-5721)

The Mozilla Foundation Security Advisory describes this flaw as:

Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. (CVE-2023-5724)

The Mozilla Foundation Security Advisory describes this flaw as:

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. (CVE-2023-5725)

The Mozilla Foundation Security Advisory describes this flaw as:

During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. (CVE-2023-5728)

The Mozilla Foundation Security Advisory describes this flaw as:

Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-5730)

The Mozilla Foundation Security Advisory describes this flaw as:

An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. (CVE-2023-5732)

Affected Packages:

thunderbird

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update thunderbird to update your system.

New Packages:

aarch64:  
    thunderbird-115.4.1-1.amzn2.0.1.aarch64  
    thunderbird-debuginfo-115.4.1-1.amzn2.0.1.aarch64  
  
src:  
    thunderbird-115.4.1-1.amzn2.0.1.src  
  
x86_64:  
    thunderbird-115.4.1-1.amzn2.0.1.x86_64  
    thunderbird-debuginfo-115.4.1-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732

Mitre: CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64thunderbird< 115.4.1-1.amzn2.0.1thunderbird-115.4.1-1.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64thunderbird-debuginfo< 115.4.1-1.amzn2.0.1thunderbird-debuginfo-115.4.1-1.amzn2.0.1.aarch64.rpm
Amazon Linux2x86_64thunderbird< 115.4.1-1.amzn2.0.1thunderbird-115.4.1-1.amzn2.0.1.x86_64.rpm
Amazon Linux2x86_64thunderbird-debuginfo< 115.4.1-1.amzn2.0.1thunderbird-debuginfo-115.4.1-1.amzn2.0.1.x86_64.rpm

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.2%

Related for ALAS-2023-2334

nessus49 openvas24 mageia2 redhat13 osv6 almalinux4 oraclelinux6 rocky1 mozilla4 kaspersky4 slackware2 ubuntu1 cvelist6 prion6 debiancve6 alpinelinux6 redhatcve6 veracode6 cve6 ubuntucve6 gentoo1 ibm1