Ubuntu Security Notice 5709-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox saved usernames to a plaintext file. A local user could potentially exploit this to obtain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5709-1November 01, 2022firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Firefox could be made to crash or run programs as your login if itopened a malicious website.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2022-42927,CVE-2022-42928, CVE-2022-42929, CVE-2022-42930, CVE-2022-42932)It was discovered that Firefox saved usernames to a plaintext file. Alocal user could potentially exploit this to obtain sensitive information.(CVE-2022-42931)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         106.0.2+build1-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         106.0.2+build1-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5709-1  CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42930,  CVE-2022-42931, CVE-2022-42932Package Information:  https://launchpad.net/ubuntu/+source/firefox/106.0.2+build1-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/106.0.2+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5709-1

This archive contains all of the 88 exploits added to Packet Storm in October, 2022.

Packet Storm New Exploits For October, 2022

Gentoo Linux Security Advisory 202210-42 - A buffer overflow in zlib might allow an attacker to cause remote code execution. Versions less than 1.2.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-42  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: zlib: Multiple vulnerabilities  
     Date: October 31, 2022  
     Bugs: #863851, #835958  
       ID: 202210-42

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow in zlib might allow an attacker to cause remote code  
execution.

Background  
==========

zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sys-libs/zlib              < 1.2.12-r3              >= 1.2.12-r3

Description  
===========

Multiple vulnerabilities have been discovered in zlib. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Maliciously crafted input handled by zlib may result in remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.12-r3"

References  
==========

[ 1 ] CVE-2018-25032  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25032  
[ 2 ] CVE-2022-37434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-42

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-42

Red Hat Security Advisory 2022-7268-01 - An update for openvswitch2.11 is now available for Red Hat OpenStack Platform 13 (Queens). Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 13.0 (openvswitch2.11) security update  
Advisory ID:       RHSA-2022:7268-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7268  
Issue date:        2022-11-01  
CVE Names:         CVE-2022-2132   
=====================================================================

1. Summary:

An update for openvswitch2.11 is now available for Red Hat OpenStack  
Platform 13 (Queens).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - ELS - noarch, ppc64le, x86_64

3. Description:

Security Fix(es):

* DoS when a Vhost header crosses more than two descriptors and exhausts  
all mbufs (CVE-2022-2132)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2099475 - CVE-2022-2132 dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs

6. Package List:

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
openvswitch2.11-2.11.3-96.2.el7fdp.src.rpm

ppc64le:  
openvswitch2.11-2.11.3-96.2.el7fdp.ppc64le.rpm  
openvswitch2.11-debuginfo-2.11.3-96.2.el7fdp.ppc64le.rpm  
openvswitch2.11-devel-2.11.3-96.2.el7fdp.ppc64le.rpm  
python-openvswitch2.11-2.11.3-96.2.el7fdp.ppc64le.rpm

x86_64:  
openvswitch2.11-2.11.3-96.2.el7fdp.x86_64.rpm  
openvswitch2.11-debuginfo-2.11.3-96.2.el7fdp.x86_64.rpm  
openvswitch2.11-devel-2.11.3-96.2.el7fdp.x86_64.rpm  
python-openvswitch2.11-2.11.3-96.2.el7fdp.x86_64.rpm

Red Hat OpenStack Platform 13.0 - ELS:

noarch:  
openvswitch2.11-test-2.11.3-96.2.el7fdp.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2132  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2EXQ9zjgjWX9erEAQgXJA//a9ABzUVg5uKXRRKpGwT3bq5X6eE4BIc/  
IIM1aeu8+eB5NuRkA3YN4ax3CiwRBRu7vG8a0xC1Ci3nyEGL3mXiWrgli/QGOV5P  
TFsVjQckJpqA14VxlI5DxUdXaE2US5ZxQY2SEyQAjYgZ6FYbLDqoDVAayDZ58GuC  
w5u8JxXqPaGMJJa1EhjTnUnyO6TT+4zSUAPGF+3wycbZnlMYBENOFRNVCDVeISPx  
7m5Ag8PmwYpnQR2PijcYlylXJT10LYcU2AdfZ+5QsehgEMnqQpXC6d0BKbSyM5gc  
oFtrblUrq16iivSLISXmjbDmASxsnJsfG95Gg4CDvX3BBlscsaPMv3UfltJls41u  
GfVjOpMUuz3BLJbrt3q5qpnoZJHQ2xIQf1l6OMT6uV37gg98DI7bwVcz2vhddKWU  
7v1cLVbxuKcEs8rK01tPlhVFedt0xHQj/xHukPJwF9GbbpUGXRb3rFOZIhqxaEFO  
5bwjriEXodk8IZ1OOyit6We9Eyv5Wdeb7MHFzPYX9PLz6TQltgzK5HT3IcMTSmBC  
mBdXaO4e7FV5BcLgRXcWokbHIb525ighA1DEuFfLNfL6j8g8LfxEbO6slezFI/zt  
UMJolhIlTubyFxLE+EroENhaSg2BVAxV6DIL1ja7XXRsJTGVb/jQ7ybl/xhKncCp  
2CQMgWLKVWw=  
=hMkz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7268-01

Gentoo Linux Security Advisory 202210-41 - Multiple vulnerabilities have been found in android-tools, the worst of which could result in arbitrary code execution. Versions less than 33.0.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-41  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: android-tools: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #878281  
       ID: 202210-41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in android-tools, the worst of  
which could result in arbitrary code execution.

Background  
==========

android-tools contains Android platform tools (adb, fastboot, and  
mkbootimg).

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-util/android-tools     < 33.0.3                    >= 33.0.3

Description  
===========

Multiple vulnerabilities have been discovered in android-tools. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All android-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-util/android-tools-33.0.3"

References  
==========

[ 1 ] CVE-2022-3168  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3168  
[ 2 ] CVE-2022-20128  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20128

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-41

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-41

Gentoo Linux Security Advisory 202210-40 - Multiple vulnerabilities have been found in SQLite, the worst of which could result in arbitrary code execution. Versions less than 3.39.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-40  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SQLite: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #777990, #863431  
       ID: 202210-40

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in SQLite, the worst of which  
could result in arbitrary code execution.

Background  
==========

SQLite is a C library that implements an SQL database engine.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-db/sqlite              < 3.39.2                    >= 3.39.2

Description  
===========

Multiple vulnerabilities have been discovered in SQLite. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All SQLite users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.39.2"

References  
==========

[ 1 ] CVE-2021-20227  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20227  
[ 2 ] CVE-2022-35737  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35737

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-40

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-40

Gentoo Linux Security Advisory 202210-39 - Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. Versions less than 2.10.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-39  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libxml2: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877149  
       ID: 202210-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libxml2, the worst of which  
could result in arbitrary code execution.

Background  
==========

libxml2 is the XML C parser and toolkit developed for the GNOME project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libxml2           < 2.10.3                    >= 2.10.3

Description  
===========

Multiple vulnerabilities have been discovered in libxml2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libxml2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.3"

References  
==========

[ 1 ] CVE-2022-40303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40303  
[ 2 ] CVE-2022-40304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-39

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-39

Gentoo Linux Security Advisory 202210-38 - A vulnerability has been found in Expat which could result in denial of service. Versions less than 2.5.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-38  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Expat: Denial of Service  
     Date: October 31, 2022  
     Bugs: #878271  
       ID: 202210-38

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Expat which could result in denial of  
service.

Background  
==========

Expat is a set of XML parsing libraries.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/expat             < 2.5.0                      >= 2.5.0

Description  
===========

In certain out-of-memory situations, Expat may free memory before it  
should, leading to a use-after-free.

Impact  
======

A use-after-free can result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Expat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.5.0"

References  
==========

[ 1 ] CVE-2022-43680  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43680

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-38

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-38

Gentoo Linux Security Advisory 202210-34 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.4.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-34  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877773  
       ID: 202210-34

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Firefox, the worst  
of which could result in arbitrary code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid  
  2  www-client/firefox-bin     < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.4.0"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.4.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-106.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-106.0"

References  
==========

[ 1 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 2 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 3 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 4 ] CVE-2022-42930  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42930  
[ 5 ] CVE-2022-42931  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42931  
[ 6 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-34

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-34

Gentoo Linux Security Advisory 202210-35 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. Versions less than 102.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-35  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873667, #878315  
       ID: 202210-35

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Thunderbird, the  
worst of which could result in arbitrary code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.4.0                  >= 102.4.0  
  2  mail-client/thunderbird-bin  < 102.4.0                >= 102.4.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.4.0"

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.4.0"

References  
==========

[ 1 ] CVE-2022-39236  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39236  
[ 2 ] CVE-2022-39249  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39249  
[ 3 ] CVE-2022-39250  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39250  
[ 4 ] CVE-2022-39251  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39251  
[ 5 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 6 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 7 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 8 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-35

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5