Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-5224-01

Red Hat Security Advisory 2023-5224-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.15.1. Issues addressed include a buffer overflow vulnerability.

Packet Storm
#vulnerability#web#linux#red_hat#js#buffer_overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2023:5224-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5224
Issue date: 2023-09-19
CVE Names: CVE-2023-4863
====================================================================

  1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

  1. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.15.1.

Security Fix(es):

  • libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

  1. Bugs fixed (https://bugzilla.redhat.com/):

2238431 - CVE-2023-4863 libwebp: Heap buffer overflow in WebP Codec

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
thunderbird-102.15.1-1.el9_2.src.rpm

aarch64:
thunderbird-102.15.1-1.el9_2.aarch64.rpm
thunderbird-debuginfo-102.15.1-1.el9_2.aarch64.rpm
thunderbird-debugsource-102.15.1-1.el9_2.aarch64.rpm

ppc64le:
thunderbird-102.15.1-1.el9_2.ppc64le.rpm
thunderbird-debuginfo-102.15.1-1.el9_2.ppc64le.rpm
thunderbird-debugsource-102.15.1-1.el9_2.ppc64le.rpm

s390x:
thunderbird-102.15.1-1.el9_2.s390x.rpm
thunderbird-debuginfo-102.15.1-1.el9_2.s390x.rpm
thunderbird-debugsource-102.15.1-1.el9_2.s390x.rpm

x86_64:
thunderbird-102.15.1-1.el9_2.x86_64.rpm
thunderbird-debuginfo-102.15.1-1.el9_2.x86_64.rpm
thunderbird-debugsource-102.15.1-1.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-4863
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlCWl+AAoJENzjgjWX9erE1bUP/i6j7UACBljwknEWUY6oASPc
fp8l3BtUrtoMMIpLYwpuwEHgNM86BNStsVMzRSMT7XPkK3dRLBk4326OLm/2yEZJ
B/wliTO+neP7PRkOPmaHjJg3O0hsZTJHSUFryg8bbteIteJiCFVifBamNpaR2GeR
3oYexrVyOvOTjSdueJSore645jOcyhsQaMc+mNA5fbAy0bVL2D3E8A7iIbntwaBz
No6Q4/zwMEakm3qEXSd8Xc9bpvaLZr8Z7g0Pd7uijMZAJKdKx8UyCA0y/NeWi6Y/
A5btMjnKIxB1VYJxAgwxMYy/MdU2FTwfjBZ61V0e+a+OrrGKBIBYbIHZczKohfsF
+MZyg229LFxsq80WbP/z9CsuNT8AtsJt286feQqdFz5/WAMiXgLgFMhZNFmYTJoW
kLBvZvbLpwy4itC44BJST9JfNFWlmofg948Hdu5ChAwS00LjM0PIok0JF9Ol5Zu0
+znDFbckz8yzwjS5hATH/JUmT9T9TKFmCatt2JNKwjF1lle7bCeYQgXf7uNc2UO2
cIR9rH9KJwIxKfXBB3nD38TnNRvh0imp5XtvHh1tpoXPv6pZCBwGFo27eKN4NyR3
0cpaM8ZXouhEEmYacKBf6p/P3K4qKXn5jcsvuNTUWbSqbnt4Vhb9MNdLfgESA1lA
jGVfJt/jJ12JpT+DeQSD
=fYw8
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Microsoft’s Response to Open-Source Vulnerabilities - CVE-2023-4863 and CVE-2023-5217

Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined below: CVE-2023-4863 Microsoft Edge Microsoft Teams for Desktop Skype for Desktop Webp Image Extensions (Released on Windows and updates through Microsoft Store) CVE-2023-5217

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Ubuntu Security Notice USN-6369-2

Ubuntu Security Notice 6369-2 - USN-6369-1 fixed a vulnerability in libwebp. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code.

RHSA-2023:5309: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5236: Red Hat Security Advisory: libwebp: critical security update

An update for libwebp is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which give a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5223: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5204: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5197: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5198: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

Debian Security Advisory 5498-1

Debian Linux Security Advisory 5498-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

RHSA-2023:5185: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker...

Debian Security Advisory 5497-1

Debian Linux Security Advisory 5497-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

Debian Security Advisory 5496-1

Debian Linux Security Advisory 5496-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's

GHSA-j7hp-h8jx-5ppr: libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Packet Storm: Latest News

Omada Identity Cross Site Scripting