AeroCMS v0.0.1 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: AeroCMS v0.0.1.

*   Description

AeroCMS v0.0.1 was discovered to contain a Directory traversal vulnerability. The vulnerability is due to the failure to normalize the url. This vulnerability allows an attacker to read arbitrary files in the root directory of a website.

*   Reproduct

1.  Access any interfaces of Folder Path，For example, "/includes, /images, /js, /fonts, css, /admin and /admin/\*"  
    
2.  Within Burpsuite, concat multiple "../" in url，that can access any file in the server root directory, include configuration files or other website files

CVE-2022-46137: AeroCMS v0.0.1 Directory traversal vulnerability · Issue #7 · MegaTKC/AeroCMS

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: nodejs:16 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:9073-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9073  
Issue date:        2022-12-15  
CVE Names:         CVE-2021-44531 CVE-2021-44532 CVE-2021-44533  
                   CVE-2021-44906 CVE-2022-3517 CVE-2022-21824  
                   CVE-2022-43548  
====================================================================  
1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages were updated to later upstream versions: nodejs  
(16.18.1), nodejs-nodemon (2.0.20).

Security Fix(es):

* nodejs: Improper handling of URI Subject Alternative Names  
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection  
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields  
(CVE-2021-44533)

* minimist: prototype pollution (CVE-2021-44906)

* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

* nodejs: DNS rebinding in inspect via invalid octal IP address  
(CVE-2022-43548)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: Packaged version of undici does not fit with declared  
version. [rhel-8] (BZ#2151625)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names  
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection  
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields  
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties  
2066009 - CVE-2021-44906 minimist: prototype pollution  
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function  
2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address  
2142806 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.7.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74.src.rpm  
nodejs-nodemon-2.0.20-2.module+el8.7.0+17412+bb0e4a6b.src.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

aarch64:  
nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74.aarch64.rpm  
nodejs-debuginfo-16.18.1-3.module+el8.7.0+17465+1a1abd74.aarch64.rpm  
nodejs-debugsource-16.18.1-3.module+el8.7.0+17465+1a1abd74.aarch64.rpm  
nodejs-devel-16.18.1-3.module+el8.7.0+17465+1a1abd74.aarch64.rpm  
nodejs-full-i18n-16.18.1-3.module+el8.7.0+17465+1a1abd74.aarch64.rpm  
npm-8.19.2-1.16.18.1.3.module+el8.7.0+17465+1a1abd74.aarch64.rpm

noarch:  
nodejs-docs-16.18.1-3.module+el8.7.0+17465+1a1abd74.noarch.rpm  
nodejs-nodemon-2.0.20-2.module+el8.7.0+17412+bb0e4a6b.noarch.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

ppc64le:  
nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm  
nodejs-debuginfo-16.18.1-3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm  
nodejs-debugsource-16.18.1-3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm  
nodejs-devel-16.18.1-3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm  
nodejs-full-i18n-16.18.1-3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm  
npm-8.19.2-1.16.18.1.3.module+el8.7.0+17465+1a1abd74.ppc64le.rpm

s390x:  
nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74.s390x.rpm  
nodejs-debuginfo-16.18.1-3.module+el8.7.0+17465+1a1abd74.s390x.rpm  
nodejs-debugsource-16.18.1-3.module+el8.7.0+17465+1a1abd74.s390x.rpm  
nodejs-devel-16.18.1-3.module+el8.7.0+17465+1a1abd74.s390x.rpm  
nodejs-full-i18n-16.18.1-3.module+el8.7.0+17465+1a1abd74.s390x.rpm  
npm-8.19.2-1.16.18.1.3.module+el8.7.0+17465+1a1abd74.s390x.rpm

x86_64:  
nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74.x86_64.rpm  
nodejs-debuginfo-16.18.1-3.module+el8.7.0+17465+1a1abd74.x86_64.rpm  
nodejs-debugsource-16.18.1-3.module+el8.7.0+17465+1a1abd74.x86_64.rpm  
nodejs-devel-16.18.1-3.module+el8.7.0+17465+1a1abd74.x86_64.rpm  
nodejs-full-i18n-16.18.1-3.module+el8.7.0+17465+1a1abd74.x86_64.rpm  
npm-8.19.2-1.16.18.1.3.module+el8.7.0+17465+1a1abd74.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-44531  
https://access.redhat.com/security/cve/CVE-2021-44532  
https://access.redhat.com/security/cve/CVE-2021-44533  
https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-3517  
https://access.redhat.com/security/cve/CVE-2022-21824  
https://access.redhat.com/security/cve/CVE-2022-43548  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhBdzjgjWX9erEAQhbZw//eRrw7Ef247fnaUY49eqgPyugkIkRUb6t  
rRh40ufGuAgZyhgnccN/C107dF5flibRgXil+pBGlUZSP2ZqTT/EaSrayWF4HYbr  
Zv28k3bDl1j6SswO2/wMt8AsiT0WXmwlPqsIMETIuiO6V4LK7L7sIQZdFd2RSgUo  
gzvGwkYQ1EXTXjp22n3mXn5/YMRszpcGZRT/XjU89s0OVgtZRr/MvFky+73pPXIT  
GhsNJxaPorlRAfNb5A2mI4g58Pg5Oml/Gs+FBMRZSiseJ3MZPK63PDlkSCoi9VH4  
PYKO//mymwdLnKs31IP54UgH9mxwCXAicTuKkCwtsPx58RBaamRvBZc85VglSnUh  
3Ion7Akq55rrGzvcThpJplcxzIYKB3D+ncrhCMXkkYbF0TmRMRBynTJ2hA0U7f/X  
Ef3MukJrYBgGwheEL5h76q5SOtZtNKxQdYk8a6uZu1GXy0AwyCyEfJe5bTTWnhDs  
2torYPJ9kVvIc+q857EjopwR2DfzrXZP/FdHXBE+gJb19Lef2YDQ4ygOHb+ags5/  
0FCXtruBg0MDH9NG5Io38ObZwwp3DW7mTeFDkXSJ5ns+eAoTLKSwAx8VJU/Afddb  
wjVeaGn6CME9Z6ZtrjG8FV+k+jGqWbQ0ccvh4G+4CroL5dU9MYYLGJZpWG4yDB8t  
qPWYIbnTsDI=cObr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9068-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9068-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9068  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
firefox-102.6.0-1.el8_6.src.rpm

aarch64:  
firefox-102.6.0-1.el8_6.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_6.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_6.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_6.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_6.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_6.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_6.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_6.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_6.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_6.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_6.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhDNzjgjWX9erEAQhCGhAAh9wrK1g4NxDEWTLQCDfBdEB13B24d9wk  
qBp3q/1HGrAGs6XxN+GhUmfXlimGGtpca4Fcp6+qkRAQSQwGpGkd8fpJbK7Zxgqi  
68pfB7069vlUI7+ed4OAZSaMi10uhPXlvHL94W2cxaRPjlfOY1xibOXXEuwH7ht1  
mrXbml9zDiU6JjzrqEaCtJ4P7VpMRB9JVD23WNN4HHGkB/dQ14lKhreQuhZtDlLe  
csEMm+XCtlTT/xsUxWtEK8mtsW6NQI33OXsSn1WngOIekeqrZ4nB1xq6xiYeEmh0  
JnEKacDLZYyeGviXnAVQ3cw3zkvnO2O56MCFNU1mrsf0hy4m4mW9pvEGrYhT3Xyy  
NWVDpqeoLTCzMggwIZ6XfwnRDSEjSCnqZd2d0dEUTmiSweiWrHUxYHt+tGdKt8Sh  
wKlD39NQL0zDBoTbS4w0RxBMN86bbgb+T+qXrdDnzDyRWv8vLXt2XsShWYrlEEzQ  
v7+2KuXWfqz1XRgxu8BWCwtS/FwLZwARBB2RpZ/yOCJUjYw/t6ynued1mGSI1cY1  
Zxb61b2TtI7hYyjJAX5Fqukp/NAXFH6lo760kBK8hUhq4OKe2/Au6sCurGCRHT6W  
fjKUhG+Tz+z+JaSEOsG/JwbATo+AWwYGxYYblxNva7hkZpGMrSdpI/4C6zYxxDda  
RIPXx9yvmhQ=hid3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9068-01

Red Hat Security Advisory 2022-9075-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9075-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9075  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.6.0-2.el8_4.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el8_4.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_4.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhFdzjgjWX9erEAQgJoA//dXoxYRc6QpIZumqvdNX8mYhEcYpd18Xv  
hefH1VzXM5q0/uNtGCQMEQ3Jty+RJ8LCgRqSQWBh3M43Oubi2d6qL0S0cq9G1DC4  
LlMMLM359VOTqIQD615Q24GVrwYlZCmOmDlzVqt7ZWBOYmnCXTboosKkGio7AY29  
+jjZEtCYcUDlhkwHmP46eMjpQnsGyD30iRFGDXo2Bh2KhmMUzWWTz6+dMdZ2TKIY  
GBTS+Pxzn7wMDabZc9iYMPbxkU1TEwzBC9P0ZCLK5FlaQSkplfvmTu3/ToecQAkc  
EJUevbeivFsPs4tusrAw7lLRR6gE3ayFXodZ9MmzVDnbG6TI5L/AhcUv7kGJ7hn8  
j+uUHpm/mPU3W4Ux3jQKR5Bl/eEmnHTaw/UMkQP6Z3WFlUJkhIhkFoIX/Xz4BePE  
2yH/nqRxHGwobnPu0wwVmFzqz5x2AXzrFGlxGPus3VbkuI/M8ExdKIweU8Xj7EwF  
w8c72PDJMCK1atFlsXmsmNHhI8aqUhwJJQiCCfWKb+eTSKJNNjsXowSBdGdK8C8L  
Chnr4cHoN9hFc/81lo67D1sO4/R5sOYR/ZoBiHM3ibwteBYJSF5tUsnQ0BEDKvJH  
c4eb66Eowc1tdrpbzELxoChIcYvjD3PeLhU66QJQbGsNXRwJc8e/aLOa2dvm2vrz  
+MxZfcAttgU=3XRU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9075-01

Red Hat Security Advisory 2022-9071-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9071-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9071  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.6.0-1.el8_1.src.rpm

ppc64le:  
firefox-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_1.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_1.ppc64le.rpm

x86_64:  
firefox-102.6.0-1.el8_1.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_1.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhHtzjgjWX9erEAQjFOA//bCHb3VrCnrVth/bYPBQIQPFtFDxMpo1j  
L+xg1IkE+PZT+Jt4XUkLQUCbgUsLMTnevoW7sGLhmnt725ajJWHt3jfsSb0orSaq  
nfiTD0dN372RpXTAeIRx6wwqjcOu5ca5jMGjmH3YynyORNKWp88OUcBkyNEC2BSm  
qJop6fIeXLqej4sGYtuy/jmmUqMUAOyrpBPYZP7nKOop14gT++uZOlg0o4fHF1jS  
shXc6hWK+gEuIWR06aaBArZrRrCFWTYbDh7gUXQrcQmV932ySCPJdrGNitG0dzQq  
Yk0QiH6qRCZdYI15IuWOGmjR1aHL6OJ4gXeYcLYF/2+YS042S/xgpzkYtN+7LokO  
eRk7UPQkBlAYfhIO9CbFpAM9m9hGjam/kMAQAjDgyyPCwUxQLQ9ge06bZS7qvnHM  
QDu1Rbzea0IhakSJX80iEzLNVr8CCcYHWhp3wnjOYsknQ0mMADaOQJF20j586biL  
3NWSXWf9Zu+uR9yTcn9an0l9zdSJrb4iRWYkkpJWYVBJ1NB06wXpckd9h9s37Jw+  
BcM4OONW+SnkOCoQwbU+5oKh59ZRTDw7lLu9NN3PO0PfCot6JprF6ASSUahpiX36  
d3LDcJ2jgiqkJ5U0qkGVczliZAL0lrTEOQCTfrLSPVP2DPel2VIODzRBo2mQgSlR  
YsDGuPuX5k0=AKSZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9071-01

Red Hat Security Advisory 2022-9078-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9078-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9078  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
thunderbird-102.6.0-2.el8_6.src.rpm

aarch64:  
thunderbird-102.6.0-2.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_6.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el8_6.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el8_6.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el8_6.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_6.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhEdzjgjWX9erEAQjtUQ/8C6IjYBKV4wwxtUHzdX1NaEl9J4VJIU9u  
mNuVkyU2+TfuF9upjK9r/S9iK5GzeUH7ueDw5CYBkeNPOPCYR7b4a0nc/GmRJrU5  
CeZg8pKZ/BlJ/JZc0tlhCz/wS6l6PLQTYW83JQ+NvF/HLrMFIxvcNHK2pqabqqPB  
kDy/iORjIXZNn5KO0tHpSYm6FItPxnAlEKCFVL2rPQXpUKHOGweFODw8E/JiriEb  
1CoIEQwLoSbEtoWeJtQIusdHIbnv/VkFjYQQdPnNcMyERyvxh20V80RJNq88cC97  
N6K+nAJ9G6IjXcDom9DhDQV4CdmZFVdDUi1kwuDnE/MsxjvS8iO7XuZQPpgMAC3D  
eFFRLdGSsPKAdz1iiUnQ7Wr4T7DXgAcPmaktoSKB8WI34sMq3sHbZ/EXbIocMFox  
orHqVlnZkcNRO7fuuSEU8vBmmZEFTU4SzxT1yGjDS3/bC3X6Sqf54kMqVUTb6AqH  
XVkFfFeXeqmp0udJE4AG3ksFY4KuOoO5TJSCj7N3CVtIWkd1MbIu88jQWy/u5NGT  
lkWrLC3WU20EBrXa9C+sgJ7gRr5PS5UJq3x1VEV8NkSwwhf11W7vWCuZJ1eV9fdq  
n6QPEkoUoI/oQE4LhJLH2lc67BQW/vZ9rljlTMo/NzFu1maCCV4ntXGYLx7Ndlew  
Pk05j8DvGaM=9JhN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9078-01

Red Hat Security Advisory 2022-9080-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9080-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9080  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.6.0-2.el9_1.src.rpm

aarch64:  
thunderbird-102.6.0-2.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.aarch64.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.6.0-2.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.6.0-2.el9_1.s390x.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.s390x.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.s390x.rpm

x86_64:  
thunderbird-102.6.0-2.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el9_1.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhGNzjgjWX9erEAQjtTw/6AqW1PdXm6F1AU3Neni40iiX0RA83g1uY  
B2BYJdojeJnh98kn7EpgUyPvoJaQuLd8CT8pqWvgr2g9Yl1vHrvz9gJeNasQxtmz  
nCzp41y6P7Gh8re+Fc9WFVEKkuT5Wl/u+4Q2gwIuUQMEeqd3aqg+DOyz6VbIObBs  
ftwwurT87UMm7hMt3sg9H7wQqn97/JQ2TUDD/eQVGFybXvDGVq/S4yG00IifO7rE  
jG2Gj1U0MMCdExNDpIxZ07zRkJJNAW4f0ywKNnsIGbyU3LSCwdfJS4UGCGLFaZDU  
rQZ2JwXp9QUBbVof3Sh8S47lft6XDYI1PlkwaX8T9CsNRNaQEQo0pjbOn4LK6uJ0  
I+0L5n3wH8gNlQQ8sAPsTjMjsKkrAkEovvNgC4+NFm408rlE3g0hSXTnnXVCc+3E  
/JfZJVrNE9vf2rwhv1xVcJ8ebqAbsdd7SZycZqe/BpeNqgW0ouKE99GP3baw4SkL  
FV739xDFbgdE08e/ltn7zfpnRP+nUBDouIopjmkej6jYvkk2ORUE6ywWvKrKNSHU  
2Uw+yyl/+RYzJ7C8+cTsC35B5gUDIBV4PjNV+oIXjJ7KkZaBP61mKjvkQ439NZob  
LUMdb4UuMInDJ4k3MKrZfQ1gw4pSFOG+62ve/XyS8vc/DSFF63T5y7HMSLGHvM8w  
kfxPKfoWkfc=yYPd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9080-01

Red Hat Security Advisory 2022-9079-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9079-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9079  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

ppc64le:  
thunderbird-102.6.0-2.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug+9zjgjWX9erEAQiV3hAAh3uPsCvyTjse9NsVVfwIp1m8+zr2U0R1  
ddP+v4TMncoHIRDvJJpwjbl7iH99KwHVDhG3iL22U51osmrFUScU9u4a/LzU4lF7  
qB+SZcKsGcnhPwm860+J+4dO27PkyR+fH7Rf2uOtspcxVHIqvbjaI2uyqncgm9Et  
f0fBgiEZ2Z5o8sjLS97rv0hNRb8ESOczfzVUpxJYMoCxWy5FbFmBomnkfBdcdSpL  
yWmEv5wLkJ72hq6vTJIjoVuiHYxjzX34EPbreuNbRhE3jhPp+32Z6McFq5Ac9oPZ  
3b1QQWawzSlk6v/GUiciqa/FSgqoOFri9Nn5MHq4r2fnUktvZOSc9JWZlV0JZU6H  
O/MZQvojpCep9hRmy4KNIY0QD4xCp6yx9JhJrXFM0+BDHytOdM6lSfcVHZIYlJx+  
xezON5p2SFjPSRPq4WC+aXb95HoobO9Ssoa3p/Wen3tPM4aMWDyrwznzF1BQ5GR+  
KZbuVxZlGUaBMD1/d0D9VVW/V6Qs5N8WCj+cnPnc/m+BY780gM4RN96DJHRhv4NU  
2FLLjcZxR9pfdp3tGeXeGrhTdBMbdhjPheGWMGgddg6Txm47SqYacFaEaH/XfwLf  
1dPXT6/Mrp0/nRUMDJLdw0YspSYdGF7/yQagihrsYit6afiUyHjnnxrl1I2mJKeE  
n6Mib/lcL98=FZY6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9079-01

Red Hat Security Advisory 2022-9069-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9069-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9069  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.6.0-1.el8_4.src.rpm

aarch64:  
firefox-102.6.0-1.el8_4.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_4.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_4.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_4.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_4.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_4.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_4.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_4.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_4.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_4.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_4.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug9NzjgjWX9erEAQgvGBAAm3DsjV2ukRrjY3hWSokjyaVPpt9YzgED  
R2O6yhERREcT1uz+gFh4PrnuIEHbI0aE7Z62qdDhS+70ZOnGlEXHQLEy821GX6oH  
YTO00avi0HNmP/VCxMjIYFSsYNnN0GRgjsuXSx9r5wSN3rFr3S25Z0jJlfI5y5cZ  
lmzRC0qgu7AYaXU/fT/I27E+rzJwvQ3A4x6ym5X//1FqPK9GF2PL3+1no6QsWRJQ  
GN0HX56v1WYzwJlr0wNPoYtA5cZtZHUWI7KD01nCE4FbWchN/leCnBTS8NhShcqc  
ibvrWhShWJnysdm/e71EstD77BDiEX/kUgMh3C2n6dI9BJ7pNtcTudyxrV84YhOq  
jdzV+7kUaU+hicdZqo+BPq/Jj/nfokOxT6nw3NkpIN1dyZp70k+R8wwDF7iIUUYt  
XXLOYWn9f8mLdoJ4zw0U/D90OtfMs35EcaoxVXK9TdPsYzj5owcscQkA1lQVg0TC  
KkmkzJRaEirsWQCkWsjlQRom5SpmLhOoGi9N7BJyPdgfVQ9kHoDKr6nDXwBgvqRO  
vNbK7tq6lahoWMy7qslAtntEKJYZZS780B+XHk1cmqTZj3KiBDtUJ43eu3OCzu18  
ipw04rJ83/HY7M3yg/+AagF8ZTPWdrAr4X8XOnb2Yro58x+yU0c/qqSo8jdmV6LF  
X/pyRBxqEVI=MfrL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9069-01

Red Hat Security Advisory 2022-9067-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9067-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9067  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.6.0-1.el8_7.src.rpm

aarch64:  
firefox-102.6.0-1.el8_7.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_7.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_7.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_7.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_7.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_7.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_7.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhINzjgjWX9erEAQhsCBAAofrVoNgJJ6cPmdajVnfBs1/mUEAli9jI  
V683ma7DQazn20wBOzqLq4aTGNYxVfQFalgfL3jOSYg8qlPcugDh5jAJet/h3RWI  
1pJlC83Ud+QZDU+rbH9oMx7RW1rDbgeuvtR03EMrrL4s9sxgWmTy4+9eFJYofDnL  
culbyd2PzOc9whMbH5Z4y2W4AszBNU9yrUQzIRu1VSXq7uhdA7dyyahtxsCjiTQl  
s0VQADsJuxxCgYk0Xcb8B376kMgg8qZWgDsg/Iv4TXgv0Y9e853HIvswNivXXLCd  
BxU34vEDSTLIoSee3vCCeNKg0SSp1R3zL9bnLK1Hy03WSDnOvO0r2QSksOCs+5WD  
CZ1Y32auq05U3yY+1pg01JNLbOTwxtfejqxQNI/liaQy8p3Sp+tdNpLO40sirawT  
/kwOMhZjEgZwMiy80qkhMFZvBmsvosN7rJQxlLRkUS1wLwhYerX3F8EvgrqNOpAy  
mInilC8KX3iJZm79GtrG9fciUUCJWCGwQg0D3+JZgzHrTz7WUiwSxVnRr5lLGE8X  
h4QotqyCLdanR/Tt7RNQpro9FGTNodlHp20kk2uCHB0GcQ3zL1Z1DZ8TfEYf2rRm  
mQ8Ldp7OlaL53+IiU0unytZSAV9ypVfyy1CDN09CL68+jSftO/PRvWN9b7X0ld5W  
LHBMnzo9r0kJF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js