Red Hat Security Advisory 2023-6195-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a spoofing vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6195.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2023:6195-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6195  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-5721  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.4.1.

Security Fix(es):

* Mozilla: Queued up rendering could have allowed websites to clickjack (CVE-2023-5721)

* Mozilla: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4 (CVE-2023-5730)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

* Mozilla: Large WebGL draw could have led to a crash (CVE-2023-5724)

* Mozilla: WebExtensions could open arbitrary URLs (CVE-2023-5725)

* Mozilla: Improper object tracking during GC in the JavaScript engine could have led to a crash. (CVE-2023-5728)

* Mozilla: Address bar spoofing via bidirectional characters (CVE-2023-5732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5721

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6195-01

Red Hat Security Advisory 2023-6194-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 8. Issues addressed include a spoofing vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6194.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2023:6194-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6194  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-5721  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.4.1.

Security Fix(es):

* Mozilla: Queued up rendering could have allowed websites to clickjack (CVE-2023-5721)

* Mozilla: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4 (CVE-2023-5730)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

* Mozilla: Large WebGL draw could have led to a crash (CVE-2023-5724)

* Mozilla: WebExtensions could open arbitrary URLs (CVE-2023-5725)

* Mozilla: Improper object tracking during GC in the JavaScript engine could have led to a crash. (CVE-2023-5728)

* Mozilla: Address bar spoofing via bidirectional characters (CVE-2023-5732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5721

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6194-01

Red Hat Security Advisory 2023-6193-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 7.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6193.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: thunderbird security updateAdvisory ID:        RHSA-2023:6193-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6193Issue date:         2023-10-30Revision:           01CVE Names:          ====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 115.4.1.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6193-01

Red Hat Security Advisory 2023-6192-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6192.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: thunderbird security updateAdvisory ID:        RHSA-2023:6192-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6192Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-44488====================================================================Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 115.4.1.Security Fix(es):* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44488References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6192-01

Red Hat Security Advisory 2023-6191-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 9. Issues addressed include a spoofing vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6191.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2023:6191-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6191  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-5721  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.4.1.

Security Fix(es):

* Mozilla: Queued up rendering could have allowed websites to clickjack (CVE-2023-5721)

* Mozilla: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4 (CVE-2023-5730)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

* Mozilla: Large WebGL draw could have led to a crash (CVE-2023-5724)

* Mozilla: WebExtensions could open arbitrary URLs (CVE-2023-5725)

* Mozilla: Improper object tracking during GC in the JavaScript engine could have led to a crash. (CVE-2023-5728)

* Mozilla: Address bar spoofing via bidirectional characters (CVE-2023-5732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5721

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6191-01

Red Hat Security Advisory 2023-6190-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6190.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2023:6190-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6190Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-44488====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.4.0 ESR.Security Fix(es):* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44488References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6190-01

Gentoo Linux Security Advisory 202310-20 - A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution. Versions greater than or equal to 9.30 are affected.

Gentoo Linux Security Advisory 202310-20

Gentoo Linux Security Advisory 202310-19 - A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used. Versions greater than or equal to 2.3.19.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Dovecot: Privilege Escalation  
     Date: October 30, 2023  
     Bugs: #856733  
       ID: 202310-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Dovecot that can lead to a  
privilege escalation when master and non-master passdbs are used.

Background  
==========

Dovecot is an open source IMAP and POP3 email server.

Affected packages  
=================

Package           Vulnerable     Unaffected  
----------------  -------------  --------------  
net-mail/dovecot  < 2.3.19.1-r1  >= 2.3.19.1-r1

Description  
===========

A vulnerability has been discovered in Dovecot. Please review the CVE  
identifier referenced below for details.

Impact  
======

When two passdb configuration entries exist in Dovecot configuration,  
which have the same driver and args settings, the incorrect  
username_filter and mechanism settings can be applied to passdb  
definitions. These incorrectly applied settings can lead to an  
unintended security configuration and can permit privilege escalation  
with certain configurations involving master user authentication.

Dovecot documentation does not advise against the use of passdb  
definitions which have the same driver and args settings. One such  
configuration would be where an administrator wishes to use the same pam  
configuration or passwd file for both normal and master users but use  
the username_filter setting to restrict which of the users is able to be  
a master user.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Dovecot users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.19.1-r1"

References  
==========

[ 1 ] CVE-2022-30550  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30550

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-19

Debian Linux Security Advisory 5538-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5538-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 27, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728   
                 CVE-2023-5730 CVE-2023-5732

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:115.4.1-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:115.4.1-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU8/MIACgkQEMKTtsN8  
TjYydw/5AYVlXQCfZjiLfnVEk+KVVib53rJGc+eR3QtpcpzO6l73fPgRKWbBylM1  
GEwu8ua6NxQ8rk2SEfA9QFwRj3EE3OBVIDOMNA7RO+UNWYqHtYYHZiif73q/7Y12  
k3gvdKpAZny67bFYSSTxu1Y0yTGmZu0HdIbIc46pfu6kdqJFvqabskEDRZ+IKKOD  
dLdbJ48xY5GjmLaqJ4YX0Mm8x9CO9ILrCjkqjnwz+D/5Tpafue3+tQscJ276eMbw  
qCGlEctLX5HywcpL3W5mSWnLwZZpoOjYdTKyJDW+hTMNTFUqsuoZDylbqiUdxBjU  
ZRenTXMjKOCFATjD3vkJHF6eGZzYIhE92fTmlBeF+j40xbGXW7nq+F4XLl7gtziC  
YzbGxXgG4tvChrt56iMaixt80axt5wVosc2mx+7m+u6aD+ulNKHh0bKP6dchEATY  
stomlKurwR45IyrBdq7EhppUkObV3tpUm7b6h/3LK2wbI2OUwl2lz8wRNXNct04Z  
75LfgyYQE/Mkcffay3IL1Ej7qBq7u8URxmvYXJ9OO148ihJTCdv7qYI9w/ltSB9s  
gW76DXOoW+9t6RSCP7ftCsx2QEW5sdq0V4tTptIlEuAFJ29ORoQ1xDyc4bQlvqWn  
lLO1vbZmk2iZfEzg6JYX9ceG6AL4HY8sHDe1TlcUEOyVsB89obg=  
=IfPw  
-----END PGP SIGNATURE-----

Debian Security Advisory 5538-1

Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5537-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2023-22067 CVE-2023-22081Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.21+9-1~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU74DgACgkQEMKTtsN8Tjbrug/+K+/T0ydiyOhIQ/4s4rrQr2YBx0miVGaBTFjuAEw/YduTbIT4eLsJsWOZeQ2dg2ZkIFtW1Ngs7QUaA7WgAjgAu7tnW90rZYFiQalcxPlwAmnSWZSYM9SSaW9p/AHARm8uSQ0YKjlnskCEDVXODVggzOQLpvVF2oA8MA+1Rtb6hnl1W4u+IDXvhXCZzniKheuAe/G9iz0nY8wHgEVNfIc1KO+MKFyD8Z655kH8qgGuMcyORGYDFDX4l6luorc/dA15dr90pokg0TD/2L2dIbkEsj0zOePzU6yZsYTBgQ878Y8gdJnCirpSS/ZaCKWAOSX+fARW+wVUsscvpUh/TcDyHEKh8EjA05ahaiqp6/gvScz8H9rbebYw32glFEu89JMgfDLAI137YLqkfOWhLIKvCzZ+u+drpg7Hf0yjDU0dPWWzc0KHd/asClDxyec5N5zlDCI7eGvY2zxH0TsGqiyed2GVTPi1TR3FWRRvlCC1uKiZF9vdmQZTubDzqpjR7gGbVIyGfn6lYDOxqhOTq7ftoJ3+BjCBxuaxZmHBtw2QzQCb8pJalQj1D2IgqsMBAt92pdD+3DyXjEYnFHNRr330uDiVg2ZeadatRkm+VwiI+pJGwkl+1Xrom1Mg2SQkeNtiY5IO3lGAjIhU8b0TkbrgdMoM3j0zI4dQkX8+BRV5YKM==UEly-----END PGP SIGNATURE-----

Source

Packet Storm