Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: sysstat: Arbitrary Code Execution  
     Date: November 22, 2022  
     Bugs: #880543  
       ID: 202211-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
An integer overflow vulnerability has been found in sysstat which could  
result in arbitrary code execution.

Background  
=========  
sysstat is a package containing a number of performance monitoring  
utilities for Linux, including sar, mpstat, iostat and sa tools.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sysstat          < 12.7.1                    >= 12.7.1

Description  
==========  
On 32 bit systems, an integer overflow can be triggered when displaying  
activity data files.

Impact  
=====  
Arbitrary code execution can be achieved via sufficiently crafted  
malicious input.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sysstat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"

References  
=========  
[ 1 ] CVE-2022-39377  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39377

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-07

Gentoo Linux Security Advisory 202211-6 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.5.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #881403  
       ID: 202211-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.5.0:esr          >= 102.5.0:esr  
                                < 107.0:rapid          >= 107.0:rapid  
  2  www-client/firefox-bin     < 102.5.0:esr          >= 102.5.0:esr  
                                < 107.0:rapid          >= 107.0:rapid

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-107.0"

References  
=========  
[ 1 ] CVE-2022-40674  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40674  
[ 2 ] CVE-2022-45403  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45403  
[ 3 ] CVE-2022-45404  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45404  
[ 4 ] CVE-2022-45405  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45405  
[ 5 ] CVE-2022-45406  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45406  
[ 6 ] CVE-2022-45407  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45407  
[ 7 ] CVE-2022-45408  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45408  
[ 8 ] CVE-2022-45409  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45409  
[ 9 ] CVE-2022-45410  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45410  
[ 10 ] CVE-2022-45411  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45411  
[ 11 ] CVE-2022-45412  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45412  
[ 12 ] CVE-2022-45413  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45413  
[ 13 ] CVE-2022-45415  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45415  
[ 14 ] CVE-2022-45416  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45416  
[ 15 ] CVE-2022-45417  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45417  
[ 16 ] CVE-2022-45418  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45418  
[ 17 ] CVE-2022-45419  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45419  
[ 18 ] CVE-2022-45420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45420  
[ 19 ] CVE-2022-45421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45421

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-06

Gentoo Linux Security Advisory 202211-5 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. Versions less than 102.5.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #881407  
       ID: 202211-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.5.0                  >= 102.5.0  
  2  mail-client/thunderbird-bin  < 102.5.0                >= 102.5.0

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0"

References  
=========  
[ 1 ] CVE-2022-45403  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45403  
[ 2 ] CVE-2022-45404  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45404  
[ 3 ] CVE-2022-45405  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45405  
[ 4 ] CVE-2022-45406  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45406  
[ 5 ] CVE-2022-45408  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45408  
[ 6 ] CVE-2022-45409  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45409  
[ 7 ] CVE-2022-45410  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45410  
[ 8 ] CVE-2022-45411  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45411  
[ 9 ] CVE-2022-45412  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45412  
[ 10 ] CVE-2022-45416  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45416  
[ 11 ] CVE-2022-45418  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45418  
[ 12 ] CVE-2022-45420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45420  
[ 13 ] CVE-2022-45421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45421

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-05

Gentoo Linux Security Advisory 202211-8 - A vulnerability has been discovered in sudo which could result in denial of service. Versions less than 1.9.12-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: sudo: Heap-Based Buffer Overread  
     Date: November 22, 2022  
     Bugs: #879209  
       ID: 202211-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in sudo which could result in denial  
of service.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sudo             < 1.9.12-r1              >= 1.9.12-r1

Description  
==========  
In certain password input handling, sudo incorrectly assumes the  
password input is at least nine bytes in size, leading to a heap buffer  
overread.

Impact  
=====  
In the worst case, the heap buffer overread can result in the denial of  
service of the sudo process.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"

References  
=========  
[ 1 ] CVE-2022-43995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43995

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-08

Gentoo Linux Security Advisory 202211-11 - Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution. Versions less than 9.56.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GPL Ghostscript: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #852944, #812509  
       ID: 202211-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in GPL Ghostscript, the worst  
of which could result in arbitrary code execution.

Background  
=========  
Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/ghostscript-gpl   < 9.56.1                    >= 9.56.1

Description  
==========  
Multiple vulnerabilities have been discovered in GPL Ghostscript. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GPL Ghostscript users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1"

References  
=========  
[ 1 ] CVE-2021-3781  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3781  
[ 2 ] CVE-2022-2085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2085

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-11

Gentoo Linux Security Advisory 202211-9 - A vulnerability has been found in xterm which could allow for arbitrary code execution. Versions less than 375 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: xterm: Arbitrary Code Execution  
     Date: November 22, 2022  
     Bugs: #880747  
       ID: 202211-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in xterm which could allow for arbitrary  
code execution.

Background  
=========  
xterm is a terminal emulator for the X Window system.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-terms/xterm            < 375                          >= 375

Description  
==========  
xterm does not correctly handle control characters related to OSC 50  
font ops sequence handling.

Impact  
=====  
The vulnerability allows text written to the terminal to write text to  
the terminal's command line. If the terminal's shell is zsh running with  
vi line editing mode, text written to the terminal can also trigger the  
execution of arbitrary commands via writing ^G to the terminal.

Workaround  
=========  
As a workaround, users can disable xterm's usage of OSC 50 sequences by  
adding the following to the XResources configuration:

XTerm*allowFontOps: false

Resolution  
=========  
All xterm users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375"

References  
=========  
[ 1 ] CVE-2022-45063  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45063

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-09

Gentoo Linux Security Advisory 202211-10 - Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. Versions less than 9.3.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #855683, #878769, #832598, #830934, #811450, #802090  
       ID: 202211-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Pillow, the worst of which  
could result in arbitrary code execution.

Background  
=========  
The friendly PIL fork.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/pillow          < 9.3.0                      >= 9.3.0

Description  
==========  
Multiple vulnerabilities have been discovered in Pillow. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/pillow-9.3.0"

References  
=========  
[ 1 ] CVE-2021-23437  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23437  
[ 2 ] CVE-2021-34552  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34552  
[ 3 ] CVE-2022-22815  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22815  
[ 4 ] CVE-2022-22816  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22816  
[ 5 ] CVE-2022-22817  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22817  
[ 6 ] CVE-2022-24303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24303  
[ 7 ] CVE-2022-45198  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45198  
[ 8 ] CVE-2022-45199  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45199

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-10

Ubuntu Security Notice 5716-2 - USN-5716-1 fixed a vulnerability in SQLite. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that SQLite incorrectly handled certain long string arguments. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-5716-2November 21, 2022sqlite3 vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:SQLite could be made to crash or run programs if it received speciallycrafted input.Software Description:- sqlite3: C library that implements an SQL database engineDetails:USN-5716-1 fixed a vulnerability in SQLite. This update providesthe corresponding update for Ubuntu 14.04 ESM.Original advisory details: It was discovered that SQLite incorrectly handled certain long string arguments. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:  libsqlite3-0                    3.8.2-1ubuntu2.2+esm3In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5716-2  https://ubuntu.com/security/notices/USN-5716-1  CVE-2022-35737

Ubuntu Security Notice USN-5716-2

Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.

    =========================================================================Ubuntu Security Notice USN-5658-3November 21, 2022isc-dhcp vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:Several security issues were fixed in DHCP.Software Description:- isc-dhcp: DHCP server and clientDetails:USN-5658-1 fixed several vulnerabilities in DHCP. This update providesthe corresponding update for Ubuntu 14.04 ESM.Original advisory details: It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. (CVE-2022-2928) It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service. (CVE-2022-2929)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:  isc-dhcp-client                 4.2.4-7ubuntu12.13+esm2  isc-dhcp-server                 4.2.4-7ubuntu12.13+esm2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5658-3  https://ubuntu.com/security/notices/USN-5658-1  CVE-2022-2928, CVE-2022-2929

Ubuntu Security Notice USN-5658-3

Red Hat Security Advisory 2022-8561-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8561-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8561  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.5.0-2.el9_1.src.rpm

aarch64:  
thunderbird-102.5.0-2.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el9_1.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.5.0-2.el9_1.s390x.rpm  
thunderbird-debuginfo-102.5.0-2.el9_1.s390x.rpm  
thunderbird-debugsource-102.5.0-2.el9_1.s390x.rpm

x86_64:  
thunderbird-102.5.0-2.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el9_1.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJwdzjgjWX9erEAQhnUg//evEIK/8jBt56rDj9c45gX63Es3IGl11Z  
FZ97RFyfLc84Dmff8PpwTXSOXh7wk2el/Z+RTVKIJxonJlXEbyOKCNnUzm646U8O  
rFoYgrAB4LVkBvULrNOK5PS0VNkzboQSFZV2VjRENSGJOZcSA8wy55kQEVjwD8W0  
MWxukUbl6iDMk+7hfT+wCDXHzd1o51/RJWiL/y9ajFokzVi7Wvru9mQO1KhR/JlM  
gU/QU8NXHOOp6MgXRqBX0l5IiCt7AYfGfe1F4jPyzJ16aOM+twmCdxvAtRvvkK93  
mXIoaMXZr5iVvxT8xrCKj7yknHYTCoYQZa7Pv9vv8h3Hb/IQ0gnV32L+kO/fq61x  
GomZHzVpkHlcR0INE2EjdcN0KVS/Ps40QsAJOg6jPlQwckvxYoLVA+mzlfOZVWSN  
LM7jcCe3Ua71NTUHv/d7Qtkj6AqVbuhaGCuqgSoHVgAuHrCQ1My33yjSP6NrYuc9  
FDmExHJLn9jY5jsLQ2V9601L31CpOYwkavn1s2/sp8pOW2ESSp1cGX8u5GnaVsE+  
gUlUx232wmK/RdW4VWBmn4jyULCEttuVf2rjtGuZHsqPBVnlFKFKoG5rygVxJHFi  
FccBzbIqGjn9SNBIC2MFCiUi5QMPN0ymxcDRFwjWgQudZfhk8fPhX6wTOhAA2W6l  
F0U30Bem0zE«3N  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm