Lucene search

K
rockyRockylinux Product ErrataRLSA-2024:0003
HistoryJan 09, 2024 - 4:07 a.m.

thunderbird security update

2024-01-0904:07:41
Rockylinux Product Errata
errata.rockylinux.org
9
thunderbird update
version 115.6.0
security fixes
rocky linux 8
mozilla
common vulnerability scoring system
cve list
heap-buffer-overflow
memory safety bugs
s/mime signature
symlinks
use-after-free
sandbox escape
unix

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.4%

An update is available for thunderbird.
This update affects Rocky Linux 8.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list
Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.6.0.

Security Fix(es):

  • Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)

  • Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)

  • Mozilla: S/MIME signature accepted despite mismatching message date (CVE-2023-50761)

  • Mozilla: Truncated signed text was shown with a valid OpenPGP signature (CVE-2023-50762)

  • Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)

  • Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)

  • Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)

  • Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)

  • Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)

  • Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)

  • Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.4%