Red Hat Security Advisory 2023-4500-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4500-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4500  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4  
Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v.8.4) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v.8.4):

Source:  
thunderbird-102.14.0-1.el8_4.src.rpm

x86_64:  
thunderbird-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v.8.4):

Source:  
thunderbird-102.14.0-1.el8_4.src.rpm

aarch64:  
thunderbird-102.14.0-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.14.0-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.14.0-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v.8.4):

Source:  
thunderbird-102.14.0-1.el8_4.src.rpm

aarch64:  
thunderbird-102.14.0-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.14.0-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.14.0-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P3gAAoJENzjgjWX9erEeH0P/1M0cfMSwsEYmKb2lAnc4XuD  
LBA+/ACSx0pmBMqAoG6KMGyv9pLGL4afyTkuUdwrqebX++yxZFK/EZCMa5/vrQei  
NRNx0sCjAdqVlCbqosM5QJUPkHWvt1vLLttJFkbPwDeA/N5/6zOkrjQUNXwH5bOZ  
qUsWXVfJQra6PHQ1wQa5UrrjdPD3eaZkpwKyDNek41bRMcCYRPS10HKeTBj0rWfQ  
bXAGieb7zO3O3EqvJMZ7G21MV80r27Hip+ydP07sJVxz3Za/i/cGtyHzU9Kp0xMp  
7SUkc+LMksNcNCw1/o6yhZdTdRyMgGwEriP0hT9sy7OKHyV3yvkZAQ1OpIINOZ1m  
6H/yFDy18Uhg3mj4LoO72M4VmJAoL9Zd6LjC89mNmWuGXD/TTlHrnBSATz+W3mBA  
ZKZAN+xByw31s/Q1CMsIU/t+VpJev3EIOCrIAkf3jIq4yUb04AShlJk4JAmCNmW8  
xuUQne6bfAw4lZiDqx/JyaV6pulqmGAPFOU2klZNO0EByzv5yeoC8A17oEYzahQq  
EvJDhg8/fTDHxZwtQm0OupZQY9CvfQaxaCz5OJrH43rQnfK8mDWrEW4IkZz4fLNo  
Nn4U+x4kNTMj7T0RSdewWD4qyS3juWeTXRSkSCyv1ksVpGtQWG2AJh7dypCHg51X  
07ioqq8PHwK2s5ytPmja  
=MOUN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4500-01

Red Hat Security Advisory 2023-4495-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4495-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4495  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.14.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.14.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.14.0-1.el7_9.src.rpm

ppc64le:  
thunderbird-102.14.0-1.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.14.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.14.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.14.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P3OAAoJENzjgjWX9erE5HkP/3wf0pb7J7dMsEry7Mx8rX6I  
KD+WC4r2CodrRi2uh3rdjYeey2z+Z7geo+62+QpnNXKD29wiKAt46tk0mDOrRi/h  
vMuyN+eZ+XiWjRIfipkViCYOG0fXSG5e4IekdFTkv/ju/eovevbujd9V4LVlE9ha  
FWO3nGn1d0qJgUxdmbkHNFIvQefzjj7VhOTXLRS/ouIQqXUiQ42qowA8udjghQHA  
BTcTMNjmcEPVJi/M6xiBsdv+o0CH+S4rzSCHDOEo+494okHsl8hAedVonjJATD5A  
dfyPfU4xnrp13K2uPfcPn3aqWgDx2taJDm5qxfYt/ww9qmrq+mmWz3dzeTGpt49m  
DZqm1fFFf/VreIH6+cUEWRhGvswf/dzUprqDEkhpN1oXT7EPyB1F7IWfJvLMV6j0  
JfguoPIoe1MwO5e34gdTzMiXDkfKPq34w6W1xofqZdoezqYSAYMhsfkBDq2JCCFm  
t4wLd52UlRR/d1s6pfdj02uuWS0cxY2jfXMgIgb2OMtoBfo98iaChpb4OdWf8BT3  
K68mV9HjR4QITvdYDAhwViBSNh6ccnPfZVR6vjNneXvyJa1YeE2/+IutbIsgkUnV  
DYfdoQiMTUFQuv1lX/IjNPKdKBHrEnyRQ6XOFrHWeZ54NMuhKuQGPe6I1NzbD8f5  
rkxpStOKC0QaSIf4zW6q  
=uGal  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4495-01

Red Hat Security Advisory 2023-4496-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4496-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4496  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.14.0-1.el8_2.src.rpm

x86_64:  
thunderbird-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.14.0-1.el8_2.src.rpm

ppc64le:  
thunderbird-102.14.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.14.0-1.el8_2.src.rpm

x86_64:  
thunderbird-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P3zAAoJENzjgjWX9erEHuMQAJzYbHSO64RfCUKDP5BDcbcm  
NDW620nj10HjbuQdRWML0i7ClLXI7M5M/qhVGtF1tNOPNIqGLzt0xZwB1WF6Ub49  
0ASHMkWvBgg5r+4Xbg9DyD9aYAd2FzbyI7CLm2XGOfABGSbsFHr4SOCVj5xMkm66  
/rZ/lASvu+ofrWtj6HpHQBvzUB21purp/r6EwhS85FxesYJ+L3v+OsFLbTU6XiHN  
4fD23mc7paLerfU3mcKCT4PaxjzHA3qefTyFZrdqP60DV0ceCQ3Ft4VZ88eZREFW  
Uc04aopQfqPGRjYC3W4ndjiNUTcDmbu/hVLSA0Cw21MlEC/oKmXKsHcR8qT6F06T  
F0NrDvpZiwi88ir1QdldP+HmzQSvhGSgeEC0eegEuUHwmFvOIEWh9qoOGlglQp1k  
Yb3SSgPB6ybLBQmE3pSJsO11FCtTUeMqeQit+3OnAjbbhTEUcVYNfuSX/z+FVBMQ  
29WeprIk2Bpwh/g93L3VZ0D/Hg6IyCc4UadPqAsErDHxOAll+g9lIke00S0oRvX8  
+i4GkxYZBrppmIFc+rIAvFMLXch5CY5K1sqh7R5xjCJFg7h2mX4KGhDFfksipIUh  
rwlL3qQNij5Osgud89wUaARog64GawcSu4BIZZ4Ft8NAD7/GLObaAO0pJZiU5/Vj  
Ff/VoBLCkmuFuRCE3VxK  
=s8Mp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4496-01

Red Hat Security Advisory 2023-4493-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4493-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4493  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
thunderbird-102.14.0-1.el8_6.src.rpm

aarch64:  
thunderbird-102.14.0-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_6.aarch64.rpm  
thunderbird-debugsource-102.14.0-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.14.0-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.14.0-1.el8_6.s390x.rpm  
thunderbird-debuginfo-102.14.0-1.el8_6.s390x.rpm  
thunderbird-debugsource-102.14.0-1.el8_6.s390x.rpm

x86_64:  
thunderbird-102.14.0-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_6.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P2fAAoJENzjgjWX9erE2ygP/2TMRR/93qYrshHSYXzFutcE  
V1F7HrYAl0M/VfIgDLIITQPCBrgYMrvt72yjf4Pn/FswH3N2oxwPYw8qEhhO2Z0I  
oQrDEKH0Pkxrku3Ssm6s3uRSVdFNewpWHasT8y9+rk7eBHyvGG+Cn0j4DoZhntI0  
PeCUqaoXaP+lWDFda4YQMcZj6+NnhHU5tyxUi/Fd+PoQnmkTeNtXHPJ7G5RkywZD  
lCS9fH72N/booPgxSq/0G086MWFbFUhAJFzbGBQ4NnDwXQ4MX1vfPjh/lMYUvA/s  
zq9ykCXfE17U2AH7YHb/l3I5gP0oS4wMrFqdqO+NgUAn+eljuI55qrlxxWHfv8qY  
95BDhEg72Hu1MMb0ictyOtSTa1d2WmPrTcB//IC1kS9cJ5cCBXm2YyNv5oGe+UdP  
COX70ifq3ZB9mBCI0V0vnPe1KLzW9ocl2HtS2xo4dSqkInED1JjYlAuO5lRq5r6u  
2dwM9N/cC5VGufGxcYcTLv6fH1BLWM77S38pOkUEhx/xBTxQtzWQEmaf9uM5jAly  
5BNH0r9pHMiXA9ShNGuZb1kyU1rvJjwRYN+IFxg7M7t+LwoXZ4Tkc268CnV5GfWZ  
bbycubepNz7m2KksZZddOj+uu8p/lSC71m8fsxcSYRURCE7hHzhdg3OPPdktJ2eu  
eMpVOF9NJr8siFLgq0+C  
=emMd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4493-01

Red Hat Security Advisory 2023-4494-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4494-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4494  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
thunderbird-102.14.0-1.el9_0.src.rpm

aarch64:  
thunderbird-102.14.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.14.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-102.14.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.14.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.14.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-102.14.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-102.14.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-102.14.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P2tAAoJENzjgjWX9erE8R4QAJUHVxuPB6Nwx+WzZrKzaUmd  
fqnRB2xQXrFEZAjgYUTo1a2DmCHdVNw320G2KacahiOcsz5f1Kh+/HgwTFVc5at/  
d8aRECut6OHxBKsCigohCMtKAVIyzIORAQfVei0cn+9vcDAYxFhaf0zGU7+y4AJv  
S/WiyDU9kpWzAPCmYgZDfQ6jQlZEI7IbdHaBtPm06JMdmmklm+pK02Lb9spBimTz  
0nnAGgURcUsCDzCGBJO/7wAnVkCvD2tVHqD7aQ9x7DKW71fQqhMBJ9xxs7gXOXVe  
j8r8CEIUliGzqeuIgE+mm4DzrVxpRcwqxpc5tdKBXaBy5Pr0YxZe0Ho96sDk02j6  
AL/Be4H1o6phpl6AlpvNrwPOO5l2mFJjchwvfSn5D0GCAS00qmavvSeTD1sc/RA6  
3LQXCCgPzvQeykKqdIxG3dAB3dYNtXKHYdf4PWJB2lzqBCBgAW80Aw2bq6CHSXNs  
Yw3ESWDOE4fLBIxTYuVsvgilq9Q6Xm4UhkzpA1yBakJeyWEVbu5oorxFRyzhGXVv  
IR/5tAxsQ/VLevyKMH8AEbhxRhW1GQsmxeZV6Fuy85GyahfSw68mhkJg3NuwEoTS  
Syb18fiHsDg0u70BLglcSMSLrd5QGROHoJQYbZGgpl3tN/6ECQWIfgIpziyGGjHW  
zpsu67T9sa/wnmWFkUBW  
=ICtZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4494-01

Red Hat Security Advisory 2023-4498-01 - D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: dbus security update  
Advisory ID:       RHSA-2023:4498-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4498  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-34969  
====================================================================  
1. Summary:

An update for dbus is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

D-Bus is a system for sending messages between applications. It is used  
both for the system-wide message bus service, and as a  
per-user-login-session messaging facility.

Security Fix(es):

* dbus: dbus-daemon: assertion failure when a monitor is active and a  
message from the driver cannot be delivered (CVE-2023-34969)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all running instances of dbus-daemon and all  
running applications using the libdbus library must be restarted, or the  
system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2213166 - CVE-2023-34969 dbus: dbus-daemon: assertion failure when a monitor is active and a message from the driver cannot be delivered

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-devel-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-x11-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm

ppc64le:  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-devel-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-x11-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm

s390x:  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.s390x.rpm  
dbus-devel-1.12.8-24.el8_8.1.s390x.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-x11-1.12.8-24.el8_8.1.s390x.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.s390x.rpm

x86_64:  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.i686.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-devel-1.12.8-24.el8_8.1.i686.rpm  
dbus-devel-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-x11-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
dbus-1.12.8-24.el8_8.1.src.rpm

aarch64:  
dbus-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-daemon-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-libs-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-tools-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.aarch64.rpm

noarch:  
dbus-common-1.12.8-24.el8_8.1.noarch.rpm

ppc64le:  
dbus-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-daemon-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-libs-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-tools-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.ppc64le.rpm

s390x:  
dbus-1.12.8-24.el8_8.1.s390x.rpm  
dbus-daemon-1.12.8-24.el8_8.1.s390x.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.s390x.rpm  
dbus-libs-1.12.8-24.el8_8.1.s390x.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-tools-1.12.8-24.el8_8.1.s390x.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.s390x.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.s390x.rpm

x86_64:  
dbus-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-daemon-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-daemon-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.i686.rpm  
dbus-debugsource-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-libs-1.12.8-24.el8_8.1.i686.rpm  
dbus-libs-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-libs-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-tests-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-tools-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-tools-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.i686.rpm  
dbus-x11-debuginfo-1.12.8-24.el8_8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-34969  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0P29AAoJENzjgjWX9erEIpIP/iA+jp4RpqfkakYFyKwh/Ri+  
/uBcu4iMdJtLK/gdPGh3EAImZ5yyyunfsd0vFg31QDkO/rTbREaHMJAF/Z/Yk/bH  
gY0lm+3ooT/uPV0SS6b3lHMw+JdUNrFXOW7WD4UTGylTrt4zGadPx3buDkFNF2K/  
t8ToRWw2gcqP04NZvYCdyAGj+29asS//LMgHkq8V4fxvGDlW/p2rTIQXJg4O0V45  
s5c46F3rwpfcx8OKmDSO+EogQosT5dG92YYKTvWRpfujYz2hQMW7WUASajB3eXBZ  
sNRMNI/g9wjPNRRPvn2oMNGkcc+sjAHkkI8AS37cafC2HtTIsvlicnE9TPafCnYx  
i7TvKqy3/oJ2bx11X99D77tVwlRvXfaKVhCi+qyXA/8SXI6H81OYfjqzL27Gff4Q  
/kJmoIob2wWoFlV4zElEBT5ByTI/JZ/T7d6p2cNrIXtajuPWkmF2+Ic3j3XMiQkw  
WhjMOuf/fCm3kDuZFDyO5aen6DqEMgvL8GzVN4F1WNtkkG8kqGr+L0MUu2yDvB1L  
T+vrTPItN8NqRjImEJwn/rtJRb4sepkTR1hdr0XukaJJiyhdyTOGkOkYvXRCcrqD  
NG0AD3gcGKRs8Pg+J2Bbzy4RVnsFlX4+z8Dtomr00Yd8j6H7Ko58Xqgtzuze4z9Z  
7mrHj3Q/YVchFCMQTB0l  
=Je9q  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4498-01

Red Hat Security Advisory 2023-4492-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Issues addressed include buffer overflow, bypass, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:4492-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4492  
Issue date:        2023-08-07  
CVE Names:         CVE-2023-3417 CVE-2023-4045 CVE-2023-4046  
                   CVE-2023-4047 CVE-2023-4048 CVE-2023-4049  
                   CVE-2023-4050 CVE-2023-4055 CVE-2023-4056  
                   CVE-2023-4057  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.14.0.

Security Fix(es):

* Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
(CVE-2023-4045)

* Mozilla: Incorrect value used during WASM compilation (CVE-2023-4046)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-4047)

* Mozilla: Crash in DOMParser due to out-of-memory conditions  
(CVE-2023-4048)

* Mozilla: Fix potential race conditions when releasing platform objects  
(CVE-2023-4049)

* Mozilla: Stack buffer overflow in StorageManager (CVE-2023-4050)

* Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,  
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
(CVE-2023-4056)

* Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird  
115.1 (CVE-2023-4057)

* thunderbird: File Extension Spoofing using the Text Direction Override  
Character (CVE-2023-3417)

* Mozilla: Cookie jar overflow caused unexpected cookie jar state  
(CVE-2023-4055)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2225325 - CVE-2023-3417 thunderbird: File Extension Spoofing using the Text Direction Override Character  
2228360 - CVE-2023-4045 Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions  
2228361 - CVE-2023-4046 Mozilla: Incorrect value used during WASM compilation  
2228362 - CVE-2023-4047 Mozilla: Potential permissions request bypass via clickjacking  
2228363 - CVE-2023-4048 Mozilla: Crash in DOMParser due to out-of-memory conditions  
2228364 - CVE-2023-4049 Mozilla: Fix potential race conditions when releasing platform objects  
2228365 - CVE-2023-4050 Mozilla: Stack buffer overflow in StorageManager  
2228367 - CVE-2023-4055 Mozilla: Cookie jar overflow caused unexpected cookie jar state  
2228370 - CVE-2023-4056 Mozilla: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14  
2228371 - CVE-2023-4057 Mozilla: Memory safety bugs fixed in Firefox ESR 115.1, and Thunderbird 115.1

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.14.0-1.el8_1.src.rpm

ppc64le:  
thunderbird-102.14.0-1.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.14.0-1.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.14.0-1.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.14.0-1.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.14.0-1.el8_1.x86_64.rpm  
thunderbird-debugsource-102.14.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-3417  
https://access.redhat.com/security/cve/CVE-2023-4045  
https://access.redhat.com/security/cve/CVE-2023-4046  
https://access.redhat.com/security/cve/CVE-2023-4047  
https://access.redhat.com/security/cve/CVE-2023-4048  
https://access.redhat.com/security/cve/CVE-2023-4049  
https://access.redhat.com/security/cve/CVE-2023-4050  
https://access.redhat.com/security/cve/CVE-2023-4055  
https://access.redhat.com/security/cve/CVE-2023-4056  
https://access.redhat.com/security/cve/CVE-2023-4057  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0KknAAoJENzjgjWX9erEfs8P/i953/EmQot5VOOS+M5m0zs3  
scrXBTyLhcyTzI/K+LdGbj7HNWfAVeusEfvWQxE6Cj3SKTZ4w+5m+ozyMmFuSuBG  
JGHh/NvpMj0n1YHIDqx4zggj9+mZ45pM8agogESPZorxfDUWDUuJNDqc2NKeU8u/  
dPLTLE5ca0HcACF/CX3tX+8I3cQC/gmPm9UA7ENeAWpJu4MxVZdInEAOO89Dud2s  
Qszym4qSRgcaRrrZ7uedJE+iRFrSfwnE1n7QT5oeo17lVmzJ2qv+rzOv9qCyYHtD  
gYgxpa1JjO+7mayyFKc7pMTc+KrgEozh+NicOazrK8MpNqNPFpGCNL+HmBYviJ0u  
cwbO2y8AICUhLX0Wy2160IE0ilV4mI+yqlTIiOmCznmIFmO3MIFujIRqZAh01D6K  
7zlR7zBMYBtmlHsfDsaY66nDLRzidWTT4nm3kM+WpoLeS3m8W0Tiok9n3p62tAUx  
4eKXj5kiTCV6GpG9Yy2a9PwXHLOnYbYT3qdHVIK3xVRZvbmonsz9Y+ZLVN1kltDx  
YtIcOcoih9YfAtpW6vJSavkejg1514duMV8Rwj+HB7D6zbMwRxGQcaXFhCmYXrNb  
M+OsseG4IgVTcB68yjzWo8xLyuWETCLSV7UgphEUAbpBK/EYhYyTi/yMbmhfbLcM  
7Ymp+g00zPo6A9Y8JqdZ  
=ovcm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4492-01

Debian Linux Security Advisory 5470-1 - Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5470-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 06, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : python-werkzeug  
CVE ID         : CVE-2023-23934 CVE-2023-25577  
Debian Bug     : 1031370

Several vulnerabilities were discovered in python-werkzeug, a collection  
of utilities for WSGI applications.

CVE-2023-23934

    It was discovered that Werkzeug did not properly handle the parsing  
    of nameless cookies which may allow shadowing of other cookies.

CVE-2023-25577

    It was discovered that Werkzeug could parse unlimited number of  
    parts, including file parts, which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1.0.1+dfsg1-2+deb11u1.

We recommend that you upgrade your python-werkzeug packages.

For the detailed security status of python-werkzeug please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/python-werkzeug

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTPlDVfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Tf+Q//aeMto4dd1KPg5CyID1LMkB7MtvB6WqtKg2PbOsFqt0rtCXE/uFwYMUAA  
PRahKOcmSJEgKqtUcGakBXRxsSqZEYLohM/Jdr8WmWWpZcUuVBazSQZ6w28AspLE  
P0CaOyWZM7hD1ZFAjmpZ5yR0+Bs3p1WiaIl116noiQe4OVBfW1idBVDF0L+zO40r  
nmcPWUzwi2HcjkFK5l3a9avDuu8CsRNylcUukDc/uz99GPJSBycydff5Hh/K6k4K  
NQqI9FwPIRNdBxK84r+EYrmhWhVhPi6WcZ1Om8Wl/OQbuT/+pchytQpREbP2v0Dg  
QEVglP1J171NU5cKBuiE+zUMM1eEh0e6S7VTVt8Nc1t9x/0F+9akhUIAnyfLO9no  
KNDDr2Y5UNvUVGJ7+b2NlXTTkcqm3bCLciqmyCMavuDV2O48TD1n2yVAHjUzt/Yw  
ARqBizYMLTWqRLnNWG1dmyZp0VuZy80/PcaHCOh7Q1+78QHrlkr8KYptwhA8jj3c  
qhxbOORWkmphHwwtVIa2UNDQ3oRGYM9cgDYjcZqHFxZ5OueM/lDlDTFt7YGzGOMe  
K0bG0vmKT8KV4EUQkCfp/eU8ei+nOUjmAIP0sqyvh6bOp+CY88hwvC6PZ8OMg+Ue  
oOg3RJQqRfpFcQ4MLJe0hXbmbLQKyjD1jn7w7v5nRsj/5tF9FxQ=oxjB  
-----END PGP SIGNATURE-----

Debian Security Advisory 5470-1

Debian Linux Security Advisory 5469-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5469-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 05, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048  
                 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:102.14.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:102.14.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTOshEACgkQEMKTtsN8  
TjZruQ//dyQdCaWxEpxvCFG95f4D66Q1wNLz5BBjlgTNEAdnISM3HwEnercTFDD2  
03ZgDzmnhQeLNFCbnXF8j3CxNGKisd9WpWAG8liUHZibhEFcC+7dPVlQbGkSHse3  
KHVCHbOMGUEq1h5XDWFmU4yxhhHAbSjDSfakiqv6rYnUIwIwWanU3YmFUdmoYVh0  
ck/ztG9GqnCz6lnmhpGXTfMpPGtq2khCkeW5XI240scFlLRNBzggPAPxLM8T5cJP  
HLUv5GXx5MeFXQPiG1czdkevWljHVBZIRdIVKmhKepfFHOXt6YbHGFmWOow0cdzL  
ELKTsXl9ZlYTGoGVB5tssk2G+GXZ+VqbFXvYRAnxBpt0o79r0o19A7M/p1YxGRsy  
xqp5Ouk4Thy7uDb0HN/FzyV2cDUEbZFebxeYEn1/q1RdwmxYTssbmjFGkorPTLvr  
sK0tZqgMya5t1TolHh4YMXiiEwffAeNR/t0RQCJgOzujewsJgX4NH2PswcIYUqXR  
s1ZlpeZyxsFTvIDLj5WpLNf6cqeKa/YR4PcTbBW0ccxxN0maqYUvYNr9VmnOjWvJ  
eIXgwQVIVRWRjyoUmLMx/C0ltSxQyQHNUGKGRDcFWiltvRZhsqJ6e6Fot2GjOI/W  
d1u2hYuJ6gXlBoyZp0+jA8vxx8s5c9HwIgnhMIxvG8Q+hZRclKQ=NXzk  
-----END PGP SIGNATURE-----

Debian Security Advisory 5469-1

Debian Linux Security Advisory 5468-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. YeongHyeon Choi discovered that processing web content may disclose sensitive information. Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. Various other issues were also addressed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5468-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
August 05, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594  
                 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600  
                 CVE-2023-38611

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-38133

    YeongHyeon Choi discovered that processing web content may  
    disclose sensitive information.

CVE-2023-38572

    Narendra Bhati discovered that a website may be able to bypass the  
    Same Origin Policy.

CVE-2023-38592

    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco  
    Squarcina, and Lorenzo Veronese discovered that processing web  
    content may lead to arbitrary code execution.

CVE-2023-38594

    Yuhao Hu discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2023-38595

    An anonymous researcher, Jiming Wang, and Jikai Ren discovered  
    that processing web content may lead to arbitrary code execution.

CVE-2023-38597

    Junsung Lee discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2023-38599

    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel  
    Genkin, and Yuval Yarom discovered that a website may be able to  
    track sensitive user information.

CVE-2023-38600

    An anonymous researcher discovered that processing web content may  
    lead to arbitrary code execution.

CVE-2023-38611

    Francisco Alonso discovered that processing web content may lead  
    to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.40.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.40.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmTOj+AACgkQAAyEYu0C  
2AK4hw/+IqYa65blruup8jZigzY38U60+U+yzSa1MTtV04Nfv5UUMHw/AuSDi/ap  
U5Vcee/oAb8pFeaZFODPY4k6vHUSjc4iL21zG4X0nYvNL7S9KZOS8TlxLVbbDElu  
VLv3La7yB++vzv64DdU/ZuRkbuqowImesSxV8PFMaeJCWzMGX1Ck4jqqOPewmOAl  
EEc9sFQHavZIdsC7kYGYcJi5UDgHUdG7K1JwKmDyQ+cW4CiTHIpGshpBnOyz7Kx9  
AxTMscAqkigJznjY5kzWe5koFzZY7WTGmxmy7fjepEzB/Zdbl2+FRgFl3UHrd6kj  
90blbnyTT6C+/PXkMR8dbeC2y7yTWZoeyyedRu2m700IdZVR19DKCwNj2TaFXD28  
GKLe7fYKusyvPx63JVmHk6p9wokInOyimn+4Ldwv6q2CUAMXOLpia9hEjljrE1nj  
CNbgyJFsgJTbW069GhkABySNKeQbFd4OCZxemb6jcJsXn3pRWoK/32B8tu/srzJo  
OtdcuHC2TEyQS1EzgzJ25WrvcGkgTaz0eoemcXMdvp31xqWpmJEJoQ95Q/lwskq3  
5e0mOH3AabSDVioImrBNtjnDcPP7Sy8Mq70pv+qx6fQZZnnFUD7YLr8D4KcayUSP  
8M6hBjOj1qAJnXb2N2Cw2YRwYhcsFXQ9d7qbC7C03bEFIsSIx0A=VbdY  
-----END PGP SIGNATURE-----

Tag

#linux