Ubuntu Security Notice 5828-1 - It was discovered that Kerberos incorrectly handled certain S4U2Self requests. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. Greg Hudson discovered that Kerberos PAC implementation incorrectly handled certain parsing operations. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5828-1  
January 25, 2023

krb5 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Kerberos.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled certain S4U2Self  
requests. An attacker could possibly use this issue to cause a denial of  
service. This issue was only addressed in Ubuntu 16.04 ESM and Ubuntu  
18.04 LTS. (CVE-2018-20217)

Greg Hudson discovered that Kerberos PAC implementation incorrectly  
handled certain parsing operations. A remote attacker could use this  
issue to cause a denial of service, or possibly execute arbitrary code.  
(CVE-2022-42898)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   krb5-admin-server               1.20-1ubuntu0.1  
   krb5-kdc                        1.20-1ubuntu0.1  
   krb5-user                       1.20-1ubuntu0.1  
   libgssapi-krb5-2                1.20-1ubuntu0.1  
   libkdb5-10                      1.20-1ubuntu0.1

Ubuntu 22.04 LTS:  
   krb5-admin-server               1.19.2-2ubuntu0.1  
   krb5-kdc                        1.19.2-2ubuntu0.1  
   krb5-user                       1.19.2-2ubuntu0.1  
   libgssapi-krb5-2                1.19.2-2ubuntu0.1  
   libkdb5-10                      1.19.2-2ubuntu0.1

Ubuntu 20.04 LTS:  
   krb5-admin-server               1.17-6ubuntu4.2  
   krb5-kdc                        1.17-6ubuntu4.2  
   krb5-user                       1.17-6ubuntu4.2  
   libgssapi-krb5-2                1.17-6ubuntu4.2  
   libkdb5-9                       1.17-6ubuntu4.2

Ubuntu 18.04 LTS:  
   krb5-admin-server               1.16-2ubuntu0.3  
   krb5-kdc                        1.16-2ubuntu0.3  
   krb5-user                       1.16-2ubuntu0.3  
   libgssapi-krb5-2                1.16-2ubuntu0.3  
   libkdb5-9                       1.16-2ubuntu0.3

Ubuntu 16.04 ESM:  
   krb5-admin-server               1.13.2+dfsg-5ubuntu2.2+esm3  
   krb5-kdc                        1.13.2+dfsg-5ubuntu2.2+esm3  
   krb5-user                       1.13.2+dfsg-5ubuntu2.2+esm3  
   libgssapi-krb5-2                1.13.2+dfsg-5ubuntu2.2+esm3  
   libkdb5-8                       1.13.2+dfsg-5ubuntu2.2+esm3

Ubuntu 14.04 ESM:  
   krb5-admin-server               1.12+dfsg-2ubuntu5.4+esm3  
   krb5-kdc                        1.12+dfsg-2ubuntu5.4+esm3  
   krb5-user                       1.12+dfsg-2ubuntu5.4+esm3  
   libgssapi-krb5-2                1.12+dfsg-2ubuntu5.4+esm3  
   libkdb5-7                       1.12+dfsg-2ubuntu5.4+esm3

After a standard system update you need to restart any application  
using Kerberos libraries to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5828-1  
   CVE-2018-20217, CVE-2022-42898

Package Information:  
   https://launchpad.net/ubuntu/+source/krb5/1.20-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.2  
   https://launchpad.net/ubuntu/+source/krb5/1.16-2ubuntu0.3

Ubuntu Security Notice USN-5828-1

Ubuntu Security Notice 5827-1 - Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10.

==========================================================================  
Ubuntu Security Notice USN-5827-1  
January 25, 2023

bind9 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Bind.

Software Description:  
- bind9: Internet Domain Name Server

Details:

Rob Schulhof discovered that Bind incorrectly handled a large number of  
UPDATE messages. A remote attacker could possibly use this issue to cause  
Bind to consume resources, resulting in a denial of service.  
(CVE-2022-3094)

Borja Marcos discovered that Bind incorrectly handled certain RRSIG  
queries. A remote attacker could possibly use this issue to cause Bind to  
crash, resulting in a denial of service. This issue only affected Ubuntu  
22.04 LTS and Ubuntu 22.10. (CVE-2022-3736)

Maksym Odinintsev discovered that Bind incorrectly handled certain answers  
from stale cache. A remote attacker could possibly use this issue to cause  
Bind to crash, resulting in a denial of service. This issue only affected  
Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2022-3924)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   bind9                           1:9.18.4-2ubuntu2.1

Ubuntu 22.04 LTS:  
   bind9                           1:9.18.1-1ubuntu1.3

Ubuntu 20.04 LTS:  
   bind9                           1:9.16.1-0ubuntu2.12

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5827-1  
   CVE-2022-3094, CVE-2022-3736, CVE-2022-3924

Package Information:  
   https://launchpad.net/ubuntu/+source/bind9/1:9.18.4-2ubuntu2.1  
   https://launchpad.net/ubuntu/+source/bind9/1:9.18.1-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.12

Ubuntu Security Notice USN-5827-1

Ubuntu Security Notice 5826-1 - Joshua Rogers discovered that Privoxy incorrectly handled memory allocation. An attacker could possibly use this issue to cause a denial of service. Artem Ivanov discovered that Privoxy incorrectly handled input validations. An attacker could possibly use this issue to perform cross-site scripting attacks.

    ==========================================================================Ubuntu Security Notice USN-5826-1January 25, 2023privoxy vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Privoxy.Software Description:- privoxy: Privacy enhancing HTTP ProxyDetails:Joshua Rogers discovered that Privoxy incorrectly handled memory allocation. Anattacker could possibly use this issue to cause a denial of service. (CVE-2021-44540)Artem Ivanov discovered that Privoxy incorrectly handled input validations. Anattacker could possibly use this issue to perform cross-site scripting (XSS) attacks.(CVE-2021-44543)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   privoxy                         3.0.28-2ubuntu0.2Ubuntu 18.04 LTS:   privoxy                         3.0.26-5ubuntu0.3In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5826-1   CVE-2021-44540, CVE-2021-44543

Ubuntu Security Notice USN-5826-1

Red Hat Security Advisory 2023-0274-01 - Angular JavaScript library packaged for setuptools / pip.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 17.0 (python-XStatic-Angular) security update  
Advisory ID:       RHSA-2023:0274-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0274  
Issue date:        2023-01-25  
CVE Names:         CVE-2019-10768  
====================================================================  
1. Summary:

An update for python-XStatic-Angular is now available for Red Hat OpenStack  
Platform 17.0 (Wallaby).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 17.0 - noarch

3. Description:

Angular JavaScript library packaged for setuptools (easy_install) / pip.

Security Fix(es):

* Prototype pollution in merge function could result in code injection  
(CVE-2019-10768)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1813309 - CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

6. Package List:

Red Hat OpenStack Platform 17.0:

Source:  
python-XStatic-Angular-1.5.8.0-15.el9ost.src.rpm

noarch:  
XStatic-Angular-common-1.5.8.0-15.el9ost.noarch.rpm  
python3-XStatic-Angular-1.5.8.0-15.el9ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10768  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaJNzjgjWX9erEAQiO5g/+IxDa/ZzGCchT5ap2MfKHcNJT5nZxdalH  
1feTMbJygrySaxWbTvuFzvQSTSgnYKRahZs+jApJ5kCeCpv1L7Wq8hkaey/zO+ur  
LZhUzj86Tv2wvZMg0EBlCvBVbCGsTKrTa67yJ1a/bvvJIFqujv5K7fqD29xj4KW7  
twynUmYaIzB5F5z35baug2aSAXRl+WOBoegXn/r1GycB/e3q6/EDxrx4h3TMPfEC  
Ipa8kdhV2EwA/pdGxBurEb9TVHXBVtjyiCy2tPtJtZYwX/zlRDj7BR3wEYqQSpf+  
vXkIe2Z1Om5oJM3EZnF/tBtaOH0a0mSeJXIfklNGXzutyhAJI43GIeG85AThNz2O  
bIo9XI+ws0fLLGpnnug/cpOyxsS/H5YPjB5/KEvCDekCEZ58L/V/5WphgK/A7cyt  
THchgvJ+o37ARG3Yi2Nn0/AePxPvDLs/NWm7qAoQA/SgajaVhm7ogjaA2v+p4LaB  
5SuKnvG+B3lrmOHwu4io0neTccwxss6hAm0vLWvIjWsS2g6foviXTjq+h71vtnen  
pwACnQh91X899rL9nqpVjxImqG0tllFCuhDCdAL+mbb41QeYWVbRWHyH5Goke9W3  
8foDbRzIIHCQCcjWIOGY6A52L4dA+4Z8VoLIosKHj1OrFez2Zo3pq4Apf9i2lJkU  
aLC02pHGTsM=+hEu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0274-01

Red Hat Security Advisory 2023-0459-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0459-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0459  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598  
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602  
                   CVE-2023-23603 CVE-2023-23605  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.7.1-1.el8_2.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.7.1-1.el8_2.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.7.1-1.el8_2.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaOtzjgjWX9erEAQiIeg/+LjvliwRM4FbgbYJHm2PMVpJJdR1AohHp  
0cSwokN5QGZfcKs7vQUIs+xZQiwrjKR32D6i4cUoBeVpzcGVmLWVfo8Mini9ORVd  
5qm/w4bk1I8PlLSvvbVs6gCEkayMH2tOR+kaFhJ+nnHAz+pT/tdyA9C0EsypeTYJ  
Utox3B1q4voEn2PnG5gPkvAVWKSnIjGwzXkfIor1ka9aLRfSnJNf+0wVOnAbGlQj  
w39AvRqyc9MaPPcjbTG1qJfUh5XK1JjBpKepaeuxngtj9QacouQmIJHAsGBOVlcJ  
RnrIdYOak67wwgrT5LOpWs9A2RiSoyd4v6T4YlR7rLchK0DAK/nMa7m8mxndB2pY  
+KTlxOA2ZFRm7BiAARyPo3mmQ5YmFYdBYBwzXpgPl0nBeWmmxx2wvULGy2u1oRYq  
bS8DQVgGySZL2tGychDGsxDAWg4ZSxeWRUlnUY494wjBsoc1onevlnQ0fvShifMu  
WGaLKvRDq0Rc5udaVxAIlYvzegxo8s6xssH080sNUTcj99kKkYgGWUOfCh7I1zlS  
7NM4ltcuQMs7TXeYWbxAwIRpvcKyFgfgtkahTRc8f6kW39gXO6U2kh2+Sydclon2  
NgLhcVr02mcYkeaOwnxfqe+9m0JtbhWHSliiNk9uQ2XwwbhYAhO6lj+/yJRAPlQ+  
i9GsAS+Zgu4=JlDR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0459-01

Red Hat Security Advisory 2023-0276-01 - Python ServerView Common Command Interface Client Library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 17.0 (python-scciclient) security update  
Advisory ID:       RHSA-2023:0276-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0276  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-2996  
====================================================================  
1. Summary:

An update for python-scciclient is now available for Red Hat OpenStack  
Platform 17.0 (Wallaby).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 17.0 - noarch

3. Description:

Python ServerView Common Command Interface (SCCI) Client Library

Security Fix(es):

* missing server certificate verification (CVE-2022-2996)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2115122 - CVE-2022-2996 python-scciclient: missing server certificate verification

6. Package List:

Red Hat OpenStack Platform 17.0:

Source:  
python-scciclient-0.10.2-0.20220830130628.b8e6e34.el9ost.src.rpm

noarch:  
python3-scciclient-0.10.2-0.20220830130628.b8e6e34.el9ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2996  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaJtzjgjWX9erEAQhufA//bWy0OyM6jUJ3nj4S9QWL0ASzN30fhQEI  
uUzP1z0ENI+gjeuRGR8Rn3ybLUPxvPnUTsIowVmDoYW3nFsWnqtPYOrMp6ge0kWX  
UIGTQcS3GFVOW7rc9u3DP0yuuZS5e/UbDuFqsiF/tQSi1Ra3t5rPmNnhLzB/AZax  
e0NYQOJMaODRmBO1dRYXz2HfRhxoHazbwCK67CB2upbeWO9Vyt3K42oVhaQJWEsM  
uVcRuvKkIvL4IypiJDP9dpu3j59LSVAh0e2q0Y77hFGnoa1UI/wV4F6Satbq6QZW  
ClT05TqxajjEeNxye8dlWtW4GCXs5RsyJTnKOKce8toEtz4wqjxfcQNEl5JMXUjj  
5xpTGJ3ItPWRpu75eLXR6onUnwE4y+spQTMJVc+NfoHgdiCjIHsq7AbSoCJzYD0q  
yg9yrHmjWHGVqbg2iOZu521ZpYVV4ZaxAKcPJVBIhEMNEWBfJ4UJbIV1tFcO/dUb  
ARRBnLVC7pBsujaJkGIFuGC9PPBmqqX5usbrxsHMfSjLN3lzVAikPVEQKTQLrmXp  
NVAjd0cHbD0LH8VY3xvX1HjZD7lDTlybEKnKCC3sHEGBVNhk+V/cwrbTMxl5F1VC  
idVUvhbSx6DmRNGQImg4i+Q8A29QLm+T4r4TFlJoyrKxhIJn0UsjAw5zOS/kyRJz  
7kWpDHK2bQg×Oe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0276-01

Red Hat Security Advisory 2023-0462-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0462-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0462  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598  
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602  
                   CVE-2023-23603 CVE-2023-23605  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
thunderbird-102.7.1-1.el8_6.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_6.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el8_6.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el8_6.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el8_6.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_6.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaQNzjgjWX9erEAQh1Pg//djRBF4GAY7Nblo/heNLrOF3ZHCTDIDlZ  
z62YH3+YmrlmZplWKfFiDw0En5WzkHpY2ozNUqjgqXgkqBBY1ksEztWqtutJj9cN  
kAFDZiAifNa0auj4JNw1KGW/irDen12lTTHX3atOiCTfySVCarh8I7W5cIWbhnCr  
QptOygb6uuwpIQO7RhMKEPTjv3IAR4MVa985r/C6IgzGuMfry6X1ELtG4Cgnv4iO  
VHAmPV2cOcQGgo5Ufda6Z9kv3BKHVfEysaTHWZ4hz0OATTZH+1Pe+WqA8Iod+Z2w  
hLMNHJ4QTpE5/3CoAk1ueBk7MzCj1dob8o+Q3XkD5M4SLBVAeAkbkMEWMFdbGE+I  
qvU6P2whftkMYnj4Rpl7Y2dH5aJwmFKItXzgYUh5iypijEeuNUo3BcxH0LY2P8k+  
99egBSdcVdtyVbsXCHnwnu0WWLBlKjOCAG03qiHnBhDFi5vBNHwh9VYx1t/z5OgX  
bHa+BpnTBSXmqSu9keP0TgHNWYr4MXwWy0zvfD59rwWaCaKCwhWrZ1borjqQNNWC  
i/iFcZ+yhbKKr6JKAoFCWKtC6DRR+Swtso/FyR+73AiCotExpMTdKDY8pDjreifE  
lyl5g4J5KR35XiS2VqVfeZxmfb+c2AgHUaNXvigDjMvB1hPgibtByPPLlY3hABov  
cRGOeHEjhVc=VxcE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0462-01

Red Hat Security Advisory 2023-0461-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0461-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0461  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598  
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602  
                   CVE-2023-23603 CVE-2023-23605  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
thunderbird-102.7.1-1.el9_0.src.rpm

aarch64:  
thunderbird-102.7.1-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_0.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el9_0.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el9_0.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el9_0.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_0.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaQ9zjgjWX9erEAQje4BAAlN4k8IMtEp0+RvEsYSv1zXQd/rF7GRfQ  
TUIWqyL7PvsZ3CRcmCFx2DI+exwPjSsBA5N91oSj4FuM+G52SqBnBQOx1kdwupVe  
P9eTivcfrIu5nShv57WMp4MkQNtgP6WT0z+l0roXmVe7H2BSqBj1dct790E/Kc2A  
leMFADsTTpKWr7umehVvrZGa/kaPVNCB/gHzkMi7a48kfCKPHvczkIlRShYkkEmE  
X5dIfunzZcjjGvR9y7R6gxP67+I4U500qLfIGscQAUiVEJ2viggk22UJiEE5aixE  
wXxvAWKtld2N0fwFHNvEkW4xHhg5VHgW6JCOPiPnwMUhAAJzlP67uaIEz2iGY5N0  
EnMQkN0DskzabztxH5FaZYDtSCMZGqJPUks8OXNcRePnP3bjgcyglRNs9Su2/jZB  
qF4BoTxemSgOsIwCw8+Ut1vOoI+MQfizJrsews5fFH2nPpJte715gIGosBY2I9ac  
QeEPy8e0xw4Nx+Kiodi0gKmqDTRuT58iWM1jWIxbN6gxfh0yUjilnj/MdDSZUpjL  
0FOC5dT3HX3NxUu8mKfFbUHF1OuJytp/D4DJf71kXLaDL0VSHV9hm2kQ+YzULWVo  
H9P60eI/27qKA0vPKnSuCWeZTz3hf6pvSgX4jevNTTI2T6mbMgGDP4zRpwkRZnM3  
NYM0ywXObOc=iwdm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0461-01

Red Hat Security Advisory 2023-0460-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0460-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0460  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598  
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602  
                   CVE-2023-23603 CVE-2023-23605  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.7.1-1.el8_4.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaLdzjgjWX9erEAQhshg/9GbIA1qaVHww01jbdEXH5DD5ntdlCX+wI  
m5JB88iEODbumgb0VlIZy/nnCmQ9HbD/ZjksK4CYXc3sIQuvmxT5tHCsz6dpqv48  
xZC4TokZWFQvf1PubKgNHfEngHYGFpOWIX0PMdBbmyLuqd1Zs91HoW4NWs/75V+U  
yFV2ZABsSjilrSg1c8zSBrGxvH2cAil36LqUO9t4QvMQp80yT1BYfY5gGqUokaiQ  
nH7g3XNtO/MSqqaamTMhct6Q+kRmVx29riL7DNSshDY2Fjm4sR70BDMv6N2AxW+t  
rDBVN9NuC2x/RCz/wwLg01SN1PUeFY80YB+neXHxCxtZZhHD3JHhqcEMWCEWaPgY  
lUbqeB9UXcKWjthk56qQ3jLI4mjPOkTjHo8uKKejou291r8TOJciUgmGGNxQHzOE  
rtmTeZjL8Gg9HGc9I3QJXSmHb6s/aN2ahsifcb4dCc2fjZBlkrbj0f9aUhszFllG  
ZpKkiMyYaGgisR1qIklUebDvGgsjjpfyVbdyOIglDppzjeT1VSPBTE2AWhTt9F/t  
3aHXWRhphmWsLthMW0GQFhTeMvaVEdM3mcwohYChuVzFlllEGHdrrGuda4uTHh1b  
phYeWumv9HLHT5cLwaHgZeAgoicALEV4NulCneKS/5OjkRZVk45Q73uENSGgV6fL  
OO9Ukvy95Zs=tJqw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0460-01

Red Hat Security Advisory 2023-0463-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0463-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0463  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598  
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602  
                   CVE-2023-23603 CVE-2023-23605  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.7.1-1.el8_7.src.rpm

aarch64:  
thunderbird-102.7.1-1.el8_7.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_7.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el8_7.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el8_7.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el8_7.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el8_7.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el8_7.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el8_7.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el8_7.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el8_7.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el8_7.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaNNzjgjWX9erEAQjeNhAAjrgCkbIYkDVd5XZIkbQmkcpM3Q+WlYn1  
cBY4n0B9tUf46g4MYMYfykUqfVZGqx6ybf9vlEaMnipPJlbgxZThS9pQXm0i9rjk  
j2be2JeaPB1uIv/C7pCihfsSISUDK/ifLp2w1wNcPgWEsyWxPq12RkPF5nCzuPpH  
V9jZ7Zmo0652oDWWzz1XPfwxXRJRpjAM1T95+7JuFdVDauOa/oHpGi6VGdGJCvx7  
AhGhrVNZVxUD6XpatUulisbgGUL+GU7iC1Jb2xOAZ0H5cLaXplYI+hvCUTvPb2Mi  
nPVy9yYW8A7wExefVUeVWZ5ny/66UdC8R6q3JylAvxb68onMryMhG/g+9+Q+LcsY  
dr/F+k3TVujZM2AtHCYMpFWCLs7WKR1822JLLpgAVYnLrUXOopLZaBxBgbB9r1PD  
RGSVA5Ftt7U0S6D1/5Vm/yjvvRh16KdjUhlJzrCktS4NIZK0IxazO6SBq5rADbr6  
Wc3C09nkr/xdaJPtJjppqn466I9IoxyvrZnR8qdVtwurpvpTeafSvaMkYlvigjs2  
47kZET2IOP7EIRLdqGyevZV2gy7RfXCly/mX/4Ek42GnqrqS8J7or9rl+nBnSwKy  
eHgi/XPZsHaUj4FsY4OZAZGKPKH02oQ8IBUWtDunnsdDLusOp80ARGa6Xm40ozvU  
qPoO5b/CT7c=y8BJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm