Red Hat Security Advisory 2023-4062-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.13.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4062-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4062  
Issue date:        2023-07-13  
CVE Names:         CVE-2023-37201 CVE-2023-37202 CVE-2023-37207   
                   CVE-2023-37208 CVE-2023-37211   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.13.0.

Security Fix(es):

* Mozilla: Use-after-free in WebRTC certificate generation (CVE-2023-37201)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-37202)

* Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and  
Thunderbird 102.13 (CVE-2023-37211)

* Mozilla: Fullscreen notification obscured (CVE-2023-37207)

* Mozilla: Lack of warning when opening Diagcab files (CVE-2023-37208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2219747 - CVE-2023-37201 Mozilla: Use-after-free in WebRTC certificate generation  
2219748 - CVE-2023-37202 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2219749 - CVE-2023-37207 Mozilla: Fullscreen notification obscured  
2219750 - CVE-2023-37208 Mozilla: Lack of warning when opening Diagcab files  
2219751 - CVE-2023-37211 Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.13.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.13.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.13.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.13.0-2.el7_9.src.rpm

ppc64le:  
thunderbird-102.13.0-2.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.13.0-2.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.13.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.13.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.13.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.13.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.13.0-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37201  
https://access.redhat.com/security/cve/CVE-2023-37202  
https://access.redhat.com/security/cve/CVE-2023-37207  
https://access.redhat.com/security/cve/CVE-2023-37208  
https://access.redhat.com/security/cve/CVE-2023-37211  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkr/6mAAoJENzjgjWX9erEhuoP/20EVMOx6edjLyXlxJ2nWCoZ  
OIZdOv5pCeZGx8C7cuznSUTerQRfvOtMLcrcQQ1QdqArbO1+ADpou7FgRGgGBHjH  
oeFOluQFl2UCmXgj3Llg2hwiVJbbIoIFPoGEUeoIVnB9m6iA20eXdiOPgZqRaPg8  
44vt/H++81ORygFHoVQfFWJhvz/COyyxOT2+zcdD9Q01G0EviH5l605FvH4mxayI  
hfbneE72RQMJS+lwu9TQ26zKe0hBOoXvAqF433XrLlGlv2NiWLyXvXy6mw2Btl6B  
aJxyaXRSMBx6EDEGaNe+Xv3W2JSfeSfD/zPpBsHevenZzIKFizJtwtvIuziAtN7V  
NSehQlSMUk3pIH6ZXOOj+5PTODBPTGdrirLtht0uWrEJFqhzz51sDHRKnkukNYeV  
TDHcgb7Qi3qHD1/Cw9AFJn8QPEn8PsPP2OW7h51sW196tro1q54DIHGlJc1JYeFL  
bRwpLoJ0lfdMtpW1jDNioaLUQymYuA7DNnS8w6LXnDk/xKzNZBCSGTooknRQ1yyk  
Ma1l43Ffo+/9g+/bPt4SdZ3+5qaMwV8n+bvktn6wzoNMV+/iptxFVAmkzHqj8O/n  
XDXsvDp7Bmk9wCtqFANITbb8++zQ4Sj9vHlIFwLYLgOjU4Km5O4zNt1I9rf8aPiZ  
m9wu6qojPPvyRiwgtlep  
=JbVs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4062-01

BloodBank version 1.0 suffers from an insecure direct object reference vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration unauthorized administrative access Vulnerability  || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /admin/subscriber-csv.php[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/admin/subscriber-csv.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Insecure Direct Object Reference

Ubuntu Security Notice 6224-1 - It was discovered that the XFS file system implementation in the Linux kernel did not properly perform metadata validation when mounting certain images. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service. Wei Chen discovered that the InfiniBand RDMA communication manager implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6224-1July 12, 2023linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the XFS file system implementation in the Linuxkernel did not properly perform metadata validation when mounting certainimages. An attacker could use this to specially craft a file system imagethat, when mounted, could cause a denial of service (system crash).(CVE-2023-2124)Wei Chen discovered that the InfiniBand RDMA communication managerimplementation in the Linux kernel contained an out-of-bounds readvulnerability. A local attacker could use this to cause a denial of service(system crash). (CVE-2023-2176)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   linux-image-6.2.0-1007-aws      6.2.0-1007.7   linux-image-6.2.0-1008-kvm      6.2.0-1008.8   linux-image-6.2.0-1008-lowlatency  6.2.0-1008.8   linux-image-6.2.0-1008-lowlatency-64k  6.2.0-1008.8   linux-image-6.2.0-1008-raspi    6.2.0-1008.10   linux-image-6.2.0-25-generic    6.2.0-25.25   linux-image-6.2.0-25-generic-64k  6.2.0-25.25   linux-image-6.2.0-25-generic-lpae  6.2.0-25.25   linux-image-aws                 6.2.0.1007.8   linux-image-generic             6.2.0.25.25   linux-image-generic-64k         6.2.0.25.25   linux-image-generic-lpae        6.2.0.25.25   linux-image-kvm                 6.2.0.1008.8   linux-image-lowlatency          6.2.0.1008.8   linux-image-lowlatency-64k      6.2.0.1008.8   linux-image-raspi               6.2.0.1008.11   linux-image-raspi-nolpae        6.2.0.1008.11   linux-image-virtual             6.2.0.25.25After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6224-1   CVE-2023-2124, CVE-2023-2176Package Information:   https://launchpad.net/ubuntu/+source/linux/6.2.0-25.25   https://launchpad.net/ubuntu/+source/linux-aws/6.2.0-1007.7   https://launchpad.net/ubuntu/+source/linux-kvm/6.2.0-1008.8   https://launchpad.net/ubuntu/+source/linux-lowlatency/6.2.0-1008.8   https://launchpad.net/ubuntu/+source/linux-raspi/6.2.0-1008.10

Ubuntu Security Notice USN-6224-1

Red Hat Security Advisory 2023-4070-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.13.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:4070-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4070  
Issue date:        2023-07-13  
CVE Names:         CVE-2023-37201 CVE-2023-37202 CVE-2023-37207   
                   CVE-2023-37208 CVE-2023-37211   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.13.0 ESR.

Security Fix(es):

* Mozilla: Use-after-free in WebRTC certificate generation (CVE-2023-37201)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-37202)

* Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and  
Thunderbird 102.13 (CVE-2023-37211)

* Mozilla: Fullscreen notification obscured (CVE-2023-37207)

* Mozilla: Lack of warning when opening Diagcab files (CVE-2023-37208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2219747 - CVE-2023-37201 Mozilla: Use-after-free in WebRTC certificate generation  
2219748 - CVE-2023-37202 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2219749 - CVE-2023-37207 Mozilla: Fullscreen notification obscured  
2219750 - CVE-2023-37208 Mozilla: Lack of warning when opening Diagcab files  
2219751 - CVE-2023-37211 Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
firefox-102.13.0-2.el8_2.src.rpm

aarch64:  
firefox-102.13.0-2.el8_2.aarch64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.aarch64.rpm  
firefox-debugsource-102.13.0-2.el8_2.aarch64.rpm

ppc64le:  
firefox-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debuginfo-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debugsource-102.13.0-2.el8_2.ppc64le.rpm

s390x:  
firefox-102.13.0-2.el8_2.s390x.rpm  
firefox-debuginfo-102.13.0-2.el8_2.s390x.rpm  
firefox-debugsource-102.13.0-2.el8_2.s390x.rpm

x86_64:  
firefox-102.13.0-2.el8_2.x86_64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.x86_64.rpm  
firefox-debugsource-102.13.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
firefox-102.13.0-2.el8_2.src.rpm

aarch64:  
firefox-102.13.0-2.el8_2.aarch64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.aarch64.rpm  
firefox-debugsource-102.13.0-2.el8_2.aarch64.rpm

ppc64le:  
firefox-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debuginfo-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debugsource-102.13.0-2.el8_2.ppc64le.rpm

s390x:  
firefox-102.13.0-2.el8_2.s390x.rpm  
firefox-debuginfo-102.13.0-2.el8_2.s390x.rpm  
firefox-debugsource-102.13.0-2.el8_2.s390x.rpm

x86_64:  
firefox-102.13.0-2.el8_2.x86_64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.x86_64.rpm  
firefox-debugsource-102.13.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
firefox-102.13.0-2.el8_2.src.rpm

aarch64:  
firefox-102.13.0-2.el8_2.aarch64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.aarch64.rpm  
firefox-debugsource-102.13.0-2.el8_2.aarch64.rpm

ppc64le:  
firefox-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debuginfo-102.13.0-2.el8_2.ppc64le.rpm  
firefox-debugsource-102.13.0-2.el8_2.ppc64le.rpm

s390x:  
firefox-102.13.0-2.el8_2.s390x.rpm  
firefox-debuginfo-102.13.0-2.el8_2.s390x.rpm  
firefox-debugsource-102.13.0-2.el8_2.s390x.rpm

x86_64:  
firefox-102.13.0-2.el8_2.x86_64.rpm  
firefox-debuginfo-102.13.0-2.el8_2.x86_64.rpm  
firefox-debugsource-102.13.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37201  
https://access.redhat.com/security/cve/CVE-2023-37202  
https://access.redhat.com/security/cve/CVE-2023-37207  
https://access.redhat.com/security/cve/CVE-2023-37208  
https://access.redhat.com/security/cve/CVE-2023-37211  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkr/6lAAoJENzjgjWX9erEV1MP/ipOMglJO752WnvtwEYdnYXI  
yh0DY3e+PI89XT7BB1r/YVDWrHM3tjkRu1hyjSaunqskhgqpuiv3AzcyHCpAA0Fr  
os4c9LO8O/t7PBlgpZylKfI7yWL+yv4FlOTF6zcuMfDupafeE1cPfvfmWhWbh1cL  
6btMBvsydqF6y2FH/qV3gnKL+qoYZq5lZZ2lFj3RbqOSUnZbGZXBXvTdZbhFh79p  
Q9kKAYlyzww+uSBjNBQPVVky86pQNhbJLQH58fXVwMyPGe1aSsD5Jcvm3Fzf3bTz  
2o+6I+QBRtBvnP6STQj2isG//sIRHaXawdxANWJSun1Pjq0W8X2H9hUPAI6H87uu  
GsWtLKZ+fR2JgY1e38An/696fplH4xCglbERBAw3y9HvTumvn+HawcFl28+EIM/7  
Ykp6OCM/nXspc3b23DXwQxrPrtEfdsmjGnoWa7tNvin882aTTZh8t26X4ZQC8Hyx  
bmFtZlvSu/y2crZV4SaYFSfMMpl/K4iqzLLTptPjb0uovMS5mAfYahgHw8dtylhN  
hLSJkhK/JRctak8sONKflGXQ7SPHRhwPJ9itV4giP55ybFR0JaykInVdSCC4iJAG  
EyoXndkwY5Ys02jzhCj1lkl8Pv7swX93FLVV37n1eCdoFPJ55cBfaIAUo4n42+IF  
+Dle6KK6Ioydn7CNjZ8n  
=kL6R  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4070-01

Bloly version 1.3 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : Bloly v1.3 Add admin Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bloly.com/download.php                                                                                  || # Dork      : Bloly v1.3 by SoftCab Inc                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload to add new admin login : /blog/install.php .[+] http://127.0.0.1/www/grupomedbrasilcom.br/blog/install.php   ( add new admin login )[+] http://127.0.0.1/www/grupomedbrasil.combr/blog/index.php?action=3   ( Login from Her )Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bloly 1.3 Add Administrator

Red Hat Security Advisory 2023-4064-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.13.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4064-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4064  
Issue date:        2023-07-13  
CVE Names:         CVE-2023-37201 CVE-2023-37202 CVE-2023-37207   
                   CVE-2023-37208 CVE-2023-37211   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.13.0.

Security Fix(es):

* Mozilla: Use-after-free in WebRTC certificate generation (CVE-2023-37201)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-37202)

* Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and  
Thunderbird 102.13 (CVE-2023-37211)

* Mozilla: Fullscreen notification obscured (CVE-2023-37207)

* Mozilla: Lack of warning when opening Diagcab files (CVE-2023-37208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2219747 - CVE-2023-37201 Mozilla: Use-after-free in WebRTC certificate generation  
2219748 - CVE-2023-37202 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2219749 - CVE-2023-37207 Mozilla: Fullscreen notification obscured  
2219750 - CVE-2023-37208 Mozilla: Lack of warning when opening Diagcab files  
2219751 - CVE-2023-37211 Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.13.0-2.el9_2.src.rpm

aarch64:  
thunderbird-102.13.0-2.el9_2.aarch64.rpm  
thunderbird-debuginfo-102.13.0-2.el9_2.aarch64.rpm  
thunderbird-debugsource-102.13.0-2.el9_2.aarch64.rpm

ppc64le:  
thunderbird-102.13.0-2.el9_2.ppc64le.rpm  
thunderbird-debuginfo-102.13.0-2.el9_2.ppc64le.rpm  
thunderbird-debugsource-102.13.0-2.el9_2.ppc64le.rpm

s390x:  
thunderbird-102.13.0-2.el9_2.s390x.rpm  
thunderbird-debuginfo-102.13.0-2.el9_2.s390x.rpm  
thunderbird-debugsource-102.13.0-2.el9_2.s390x.rpm

x86_64:  
thunderbird-102.13.0-2.el9_2.x86_64.rpm  
thunderbird-debuginfo-102.13.0-2.el9_2.x86_64.rpm  
thunderbird-debugsource-102.13.0-2.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37201  
https://access.redhat.com/security/cve/CVE-2023-37202  
https://access.redhat.com/security/cve/CVE-2023-37207  
https://access.redhat.com/security/cve/CVE-2023-37208  
https://access.redhat.com/security/cve/CVE-2023-37211  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkr/6kAAoJENzjgjWX9erEB64P/Ru8eBi3b+ZoXmh0eXWohQGT  
FjBodLnrxNMKcVgSUyzknVW3IPdyNaTvzrToIiyM9Y+seEaQ/MWRxkX29+xYl/wz  
infucPBrPyy8qepkNf3tLr23zZk3eTl9rUQXQWlTb8hNmr1chPEZPRxbnSEQhKie  
6chWGQMwvv6XSwVEok2Fj4h4EVDa6FcOvQoHl90+Al7bQWOEzZGK/+gSaD6tvQEn  
SRL2krCXr6kEMXdTOVTGoKmPFlnBys2KX7QHn6/MfF92bZFPxWPBiSI21QhagF8H  
cS2SuSSNMNeQKyRYmix+gc3DIQx7EP4zwSoBr4Zf5IZU78fCzgckTEKlxzg+EQ9v  
GjSjwu5CSIdWzgI64jG1vhaGYRbBStsSJtIIE6Oa8co8L8a5jspA94YGDFAfbY/G  
KG4ZGWszD8sv3X9jjSvbDuvvTaRyqgQDlKUba5Uad334/Ve5vmsqpAqk4pIPZ2VC  
cKz2z/HwrFcg3zR0/L8nYN6bhyZOm3nNqwEFcW2B9bxqNixqjn7+GHfzkXN5q+f2  
VBmfQTQux7jB0oRp8MlrnHiTeiAa3G5uJsytHI0l7obgstLdfzsbPEgnYWLs9vpM  
/xVN7wnmjCCz4PnlHUAWFbmGEsfxJU2yvaFULoPgo5Fn+XiAd8JVXU8w0YuRnvrL  
l+OvWgMJHHk04MxjZV1g  
=zAQY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4064-01

Ubuntu Security Notice 6223-1 - It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service. It was discovered that the Real-Time Scheduling Class implementation in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6223-1  
July 12, 2023

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the  
Linux kernel contained a type confusion vulnerability in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-1077)

It was discovered that the ASUS HID driver in the Linux kernel did not  
properly handle device removal, leading to a use-after-free vulnerability.  
A local attacker with physical access could plug in a specially crafted USB  
device to cause a denial of service (system crash). (CVE-2023-1079)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2  
mitigations with prctl syscall were insufficient in some situations. A  
local attacker could possibly use this to expose sensitive information.  
(CVE-2023-1998)

It was discovered that the BigBen Interactive Kids' gamepad driver in the  
Linux kernel did not properly handle device removal, leading to a use-  
after-free vulnerability. A local attacker with physical access could plug  
in a specially crafted USB device to cause a denial of service (system  
crash). (CVE-2023-25012)

It was discovered that a use-after-free vulnerability existed in the HFS+  
file system implementation in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-2985)

Hangyu Hua discovered that the Flower classifier implementation in the  
Linux kernel contained an out-of-bounds write vulnerability. An attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-35788, LP: #2023577)

It was discovered that for some Intel processors the INVLPG instruction  
implementation did not properly flush global TLB entries when PCIDs are  
enabled. An attacker could use this to expose sensitive information  
(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1041-azure-fde  5.15.0-1041.48.1  
   linux-image-azure-fde           5.15.0.1041.48.19  
   linux-image-azure-fde-lts-22.04  5.15.0.1041.48.19

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6223-1  
   https://launchpad.net/bugs/2023220  
   https://launchpad.net/bugs/2023577  
   CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1670,  
   CVE-2023-1859, CVE-2023-1998, CVE-2023-25012, CVE-2023-2985,  
   CVE-2023-35788

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1041.48.1

Ubuntu Security Notice USN-6223-1

BKMobile CMS version 1.5.0 suffers from a remote blind SQL injection vulnerability.

    ====================================================================================================================================| # Title     : BKMobile-CMS V1.5.0 Blind SQL Injection Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://bekustom.com/                                                                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine[+] http://127.0.0.1/BKMobileCMS/user/full_blog_summary.php?blog_id= <=====| inject Her[+] http://127.0.0.1/BKMobileCMS/admin/ = loginGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BKMobile CMS 1.5.0 SQL Injection

Red Hat Security Advisory 2023-4058-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: .NET 7.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:4058-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4058  
Issue date:        2023-07-13  
CVE Names:         CVE-2023-33170   
=====================================================================

1. Summary:

An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

The following packages have been upgraded to a later upstream version:  
dotnet7.0 (SDK 7.0.109, Runtime 7.0.9). (BZ#2219633)

Security Fix(es):

* dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync  
method (CVE-2023-33170)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2221854 - CVE-2023-33170 dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet7.0-7.0.109-1.el8_8.src.rpm

aarch64:  
aspnetcore-runtime-7.0-7.0.9-1.el8_8.aarch64.rpm  
aspnetcore-targeting-pack-7.0-7.0.9-1.el8_8.aarch64.rpm  
dotnet-7.0.109-1.el8_8.aarch64.rpm  
dotnet-apphost-pack-7.0-7.0.9-1.el8_8.aarch64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-host-7.0.9-1.el8_8.aarch64.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-hostfxr-7.0-7.0.9-1.el8_8.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-runtime-7.0-7.0.9-1.el8_8.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-sdk-7.0-7.0.109-1.el8_8.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.aarch64.rpm  
dotnet-targeting-pack-7.0-7.0.9-1.el8_8.aarch64.rpm  
dotnet-templates-7.0-7.0.109-1.el8_8.aarch64.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.aarch64.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.aarch64.rpm  
netstandard-targeting-pack-2.1-7.0.109-1.el8_8.aarch64.rpm

ppc64le:  
aspnetcore-runtime-7.0-7.0.9-1.el8_8.ppc64le.rpm  
aspnetcore-targeting-pack-7.0-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-7.0.109-1.el8_8.ppc64le.rpm  
dotnet-apphost-pack-7.0-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-host-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-hostfxr-7.0-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-runtime-7.0-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-sdk-7.0-7.0.109-1.el8_8.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.ppc64le.rpm  
dotnet-targeting-pack-7.0-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-templates-7.0-7.0.109-1.el8_8.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.ppc64le.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.ppc64le.rpm  
netstandard-targeting-pack-2.1-7.0.109-1.el8_8.ppc64le.rpm

s390x:  
aspnetcore-runtime-7.0-7.0.9-1.el8_8.s390x.rpm  
aspnetcore-targeting-pack-7.0-7.0.9-1.el8_8.s390x.rpm  
dotnet-7.0.109-1.el8_8.s390x.rpm  
dotnet-apphost-pack-7.0-7.0.9-1.el8_8.s390x.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-host-7.0.9-1.el8_8.s390x.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-hostfxr-7.0-7.0.9-1.el8_8.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-runtime-7.0-7.0.9-1.el8_8.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-sdk-7.0-7.0.109-1.el8_8.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.s390x.rpm  
dotnet-targeting-pack-7.0-7.0.9-1.el8_8.s390x.rpm  
dotnet-templates-7.0-7.0.109-1.el8_8.s390x.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.s390x.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.s390x.rpm  
netstandard-targeting-pack-2.1-7.0.109-1.el8_8.s390x.rpm

x86_64:  
aspnetcore-runtime-7.0-7.0.9-1.el8_8.x86_64.rpm  
aspnetcore-targeting-pack-7.0-7.0.9-1.el8_8.x86_64.rpm  
dotnet-7.0.109-1.el8_8.x86_64.rpm  
dotnet-apphost-pack-7.0-7.0.9-1.el8_8.x86_64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-host-7.0.9-1.el8_8.x86_64.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-hostfxr-7.0-7.0.9-1.el8_8.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-runtime-7.0-7.0.9-1.el8_8.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-sdk-7.0-7.0.109-1.el8_8.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.x86_64.rpm  
dotnet-targeting-pack-7.0-7.0.9-1.el8_8.x86_64.rpm  
dotnet-templates-7.0-7.0.109-1.el8_8.x86_64.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.x86_64.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.x86_64.rpm  
netstandard-targeting-pack-2.1-7.0.109-1.el8_8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.aarch64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.109-1.el8_8.aarch64.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.aarch64.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.aarch64.rpm

ppc64le:  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.ppc64le.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.109-1.el8_8.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.ppc64le.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.ppc64le.rpm

s390x:  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.s390x.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.109-1.el8_8.s390x.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.s390x.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.s390x.rpm

x86_64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-host-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.9-1.el8_8.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.109-1.el8_8.x86_64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.109-1.el8_8.x86_64.rpm  
dotnet7.0-debuginfo-7.0.109-1.el8_8.x86_64.rpm  
dotnet7.0-debugsource-7.0.109-1.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-33170  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkr/6TAAoJENzjgjWX9erErocP/ixY1zXl9SDyKwMw0bBEhctt  
j/6F0UV/bSYSMx1cNIiLgHd2Ikw2tlRq7ABLtiGNRM/U8DIGHLMaUFAlhoGf151V  
zRbUIAwHDG6tY1XmhFbKFAjyI0LjFUAt8cgz1kzrgF3tQr4NJm7+jsps8NtLIFt2  
fJ9T7sA6ZHfEdzPO/nctACK1IGb9g4YTUW5sIWi7QFaTzsyi0FHmEu5pYQcXi8ew  
Jn8Zx8ODjhxEdXiVkNeIdWFNr7b/rLhI+PpyvDbX78JTGfDW+f40h6C6+nh73YsF  
qmre/qWnX5Df0MIKYLHvhhyJroG0TdO/J4QLM67Y6lPV4q/XldV9lv/QD8fz9RX4  
4u7K2GzZhvC2DynNIn222B8P6e0usyYgUWWU4m7uSAZPSuEmOhFwC5BYJ/zDXMSL  
7X/pNGP2F0X2QemiFeEmdRKYV+5wE/jduqWXEewtLkMC7kd/RXsIz48/KBlM6mA0  
hQlB6liU4sBor1p9KOO96aoDY3xe65O2wAmboek59GB3u86DJJZiOrmXKWWkD4vt  
3BG/lNRjpZn2Wo7fIQWsOXU3hVTEbwpq0PBxEZIiOzsHsLW2pZo5cR2/ZsqTz+8j  
vnVZMUkGXZFHbTxQAvMHnXswuS0DTP8rDK/B6vhq25cllM545Y/FxUg+kG6M+DGQ  
cBPA/r/Xsfj02cnYa+Zc  
=4ax+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4058-01

Red Hat Security Advisory 2023-4065-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.13.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4065-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4065  
Issue date:        2023-07-13  
CVE Names:         CVE-2023-37201 CVE-2023-37202 CVE-2023-37207   
                   CVE-2023-37208 CVE-2023-37211   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.13.0.

Security Fix(es):

* Mozilla: Use-after-free in WebRTC certificate generation (CVE-2023-37201)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-37202)

* Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and  
Thunderbird 102.13 (CVE-2023-37211)

* Mozilla: Fullscreen notification obscured (CVE-2023-37207)

* Mozilla: Lack of warning when opening Diagcab files (CVE-2023-37208)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2219747 - CVE-2023-37201 Mozilla: Use-after-free in WebRTC certificate generation  
2219748 - CVE-2023-37202 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2219749 - CVE-2023-37207 Mozilla: Fullscreen notification obscured  
2219750 - CVE-2023-37208 Mozilla: Lack of warning when opening Diagcab files  
2219751 - CVE-2023-37211 Mozilla: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.13.0-2.el8_1.src.rpm

ppc64le:  
thunderbird-102.13.0-2.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.13.0-2.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.13.0-2.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.13.0-2.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.13.0-2.el8_1.x86_64.rpm  
thunderbird-debugsource-102.13.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37201  
https://access.redhat.com/security/cve/CVE-2023-37202  
https://access.redhat.com/security/cve/CVE-2023-37207  
https://access.redhat.com/security/cve/CVE-2023-37208  
https://access.redhat.com/security/cve/CVE-2023-37211  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkr/6PAAoJENzjgjWX9erEY2YQAJJ5zs2ZzqjvZtzoExTnO2Ph  
7OWp7LzAe7sqx8urFd/QMHiDQ0IDBj3MPzrvuGuOkno5QcN4eszKI+QhbjM8jadi  
g/cHq/9nS7sbbZbVdE7xNhb6cjHu8r7e54reuq+nrG/Mt1aAuhOnaTdQ7k8Ew9GA  
FNG3cId6po8HpTu/o6Fkx2DWnEmxpPeavKZpTllFQ93znqUfqs6y1yWEeLMRyRak  
ckrqCl4YcDbbFUHCkx65W1zVwwJJ9J1Y7yCUp3kq5l/PRsOEpaeEctY4P+5wT4n9  
eft075r3b/+DYIT+3guBWOTVvi8JHHqLfi2upO4kIF7RJx+cZmvqxvojOHCMk8H6  
5VZWMA5WvRe4mi5G/z28uhzSX/kMvDkEHmi4/xWANyvCPDtJP42GQnB6X2AGPad0  
IeamsuQTeV5g6xOs5U2tQwm5zMteZWTdCKqqpzBONGth5An2iBMZWlfvRM/HKO81  
JUTiOqsGiVklypMDWi+/wTns/vCHn0PEPf4XKvLV0JCIJyaqeRlH085j9ylXP8h1  
i25Pru1NiRtVmwsgapwo2nnyp+uuc8anUhmhcBGyNVaeEgSbxBNj24SYcP4hL3ww  
xdyIJlZQlb8ONFvSuUmlpeyGEoUdHPcWr0W0w8R3ge1DwLx64WhtZvU0i6XZ1DjQ  
U+ePBfKTBPlWsq0GWPhU  
=Zut7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm