Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
217
security advisorybindimportantOracle Linux 9: ELSA-2025-19951 BIND Important Spoofing Fix
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-19951 http://linux.oracle.com/errata/ELSA-2025-19951.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: bind-9.16.23-31.0.1.el9_6.2.x86_64.rpm bind-chroot-9.16.23-31.0.1.el9_6.2.x86_64.rpm bind-devel-9.16.23-31.0.1.el9_6.2.i686.rpm bind-devel-9.16.23-31.0.1.el9_6.2.x86_64.rpm bind-dnssec-doc-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-dnssec-utils-9.16.23-31.0.1.el9_6.2.x86_64.rpm bind-doc-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-libs-9.16.23-31.0.1.el9_6.2.i686.rpm bind-libs-9.16.23-31.0.1.el9_6.2.x86_64.rpm bind-license-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-utils-9.16.23-31.0.1.el9_6.2.x86_64.rpm python3-bind-9.16.23-31.0.1.el9_6.2.noarch.rpm aarch64: bind-9.16.23-31.0.1.el9_6.2.aarch64.rpm bind-chroot-9.16.23-31.0.1.el9_6.2.aarch64.rpm bind-devel-9.16.23-31.0.1.el9_6.2.aarch64.rpm bind-dnssec-doc-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-dnssec-utils-9.16.23-31.0.1.el9_6.2.aarch64.rpm bind-doc-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-libs-9.16.23-31.0.1.el9_6.2.aarch64.rpm bind-license-9.16.23-31.0.1.el9_6.2.noarch.rpm bind-utils-9.16.23-31.0.1.el9_6.2.aarch64.rpm python3-bind-9.16.23-31.0.1.el9_6.2.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/bind-9.16.23-31.0.1.el9_6.2.src.rpm Related CVEs: CVE-2025-40778 CVE-2025-40780 Description of changes: [9.16.23-31.0.1] - Fix warning when changing device file permissions [Orabug: 36518580] [32:9.16.23-31.2] - Replace downstream fixes with upstream changes [32:9.16.23-31.1] - Prevent cache poisoning due to weak PRNG (CVE-2025-40780) - Address various spoofing attacks (CVE-2025-40778) _______________________________________________ El-errata mailing list
Nov 11, 2025
•Important
Oracle
87
security advisorysoftware updatedebianDebian Bookworm DSA-5772-1: Critical LibreOffice Spoofing Threat
Yufan You discovered that Libreoffice's handling of documents based on ZIP archives was suspectible to spoofing attacks when the repair mode attempts to address a malformed archive structure. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5772-1
Sep 17, 2024
•Critical
Debian
172
security advisorydenial of servicesoftware updateUbuntu 22.10 USN-6015-1: Critical Thunderbird Denial of Service Fix
Several security issues were fixed in Thunderbird.. =========================================================================Ubuntu Security Notice USN-6015-1 April 13, 2023 thunderbird vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-1945, CVE-2023-29548, CVE-2023-29550) Paul Menzel discovered that Thunderbird did not properly validate OCSP revocation status of recipient certificates when sending S/Mime encrypted email. An attacker could potentially exploits this issue to perform spoofing attack. (CVE-2023-0547) Ribose RNP Team discovered that Thunderbird did not properly manage memory when parsing certain OpenPGP messages. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-29479) Irvan Kurniawan discovered that Thunderbird did not properly manage fullscreen notifications using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. An attacker could potentially exploit this issue to perform spoofing attacks. (CVE-2023-29533) Lukas Bernhard discovered that Thunderbird did not properly manage memory when doing Garbage Collector compaction. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-29535) Zx from qriousec discovered that Thunderbird did not properly validate the address to free a pointer provided to the memorymanager. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-29536) Trung Pham discovered that Thunderbird did not properly validate the filename directive in the Content-Disposition header. An attacker could possibly exploit this to perform reflected file download attacks potentially tricking users to install malware. (CVE-2023-29539) Ameen Basha M K discovered that Thunderbird did not properly validate downloads of files ending in .desktop. An attacker could potentially exploits this issue to execute arbitrary code. (CVE-2023-29541) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: thunderbird 1:102.10.0+build2-0ubuntu0.22.10.1 Ubuntu 22.04 LTS: thunderbird 1:102.10.0+build2-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:102.10.0+build2-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: thunderbird 1:102.10.0+build2-0ubuntu0.18.04.1 In general, a standard system update will make all the necessary changes. References: CVE-2023-0547, CVE-2023-1945, CVE-2023-29479, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29548, CVE-2023-29550 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:102.10.0+build2-0ubuntu0.22.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.10.0+build2-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.10.0+build2-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.10.0+build2-0ubuntu0.18.04.1 . Numerous security patches for Thunderbird available in Ubuntu 22.10, 22.04, 20.04, and 18.04. Update now to safeguard your system from vulnerabilities.. Thunderbird Security Update, Ubuntu 22.10 Advisory, Denial of Service Bug, Spoofing Threat Resolution. . Severity: Critical. LinuxSecurity.com Team
Apr 13, 2023
•Critical
Ubuntu
202
security advisorycriticalpatchopenSUSE Leap 15.4: 2023:0113-1 Critical MozillaFirefox Fix
An update that fixes 7 vulnerabilities is now available.. SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0113-1 Rating: important References: #1207119 Cross-References: CVE-2022-46871 CVE-2022-46877 CVE-2023-23598 CVE-2023-23601 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605 CVSS scores: CVE-2022-46871 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-46877 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Affected Products: SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 SUSE Linux Enterprise Realtime Extension 15-SP3 SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3-LTSS SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update forMozillaFirefox fixes the following issues: - Updated to version 102.7.0 ESR (bsc#1207119): - CVE-2022-46871: Updated an out of date library (libusrsctp) which contained several vulnerabilities. - CVE-2023-23598: Fixed an arbitrary file read from GTK drag and drop on Linux. - CVE-2023-23601: Fixed a potential spoofing attack when dragging a URL from a cross-origin iframe into the same tab. - CVE-2023-23602: Fixed a mishandled security check, which caused the Content Security Policy header to be ignored for WebSockets in WebWorkers. - CVE-2022-46877: Fixed a fullscreen notification bypass which could be leveraged in spoofing attacks. - CVE-2023-23603: Fixed a Content Security Policy bypass via format directives. - CVE-2023-23605: Fixed several memory safety bugs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2023-113=1 - SUSE Linux Enterprise Server for SAP 15-SP3: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-113=1 - SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-113=1 - SUSE Linux Enterprise Server 15-SP3-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-113=1 - SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-113=1 - SUSE Linux Enterprise Realtime Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-113=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP4: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2023-113=1 - SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS: zypper in -t patchSUSE-SLE-Product-HPC-15-SP3-LTSS-2023-113=1 - SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-113=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-113=1 - SUSE Enterprise Storage 7.1: zypper in -t patch SUSE-Storage-7.1-2023-113=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2023-113=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-branding-upstream-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Server for SAP 15-SP3 (ppc64le x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Server 15-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Server 15-SP3-LTSS (aarch64 ppc64le x86_64): MozillaFirefox-devel-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Realtime Extension 15-SP3 (x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64 ppc64le x86_64): MozillaFirefox-devel-102.7.0-150200.152.73.1 - SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (aarch64 x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE LinuxEnterprise High Performance Computing 15-SP3-ESPOS (aarch64 x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Enterprise Storage 7.1 (aarch64 x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): MozillaFirefox-102.7.0-150200.152.73.1 MozillaFirefox-debuginfo-102.7.0-150200.152.73.1 MozillaFirefox-debugsource-102.7.0-150200.152.73.1 MozillaFirefox-devel-102.7.0-150200.152.73.1 MozillaFirefox-translations-common-102.7.0-150200.152.73.1 MozillaFirefox-translations-other-102.7.0-150200.152.73.1 References: https://www.suse.com/security/cve/CVE-2022-46871.html https://www.suse.com/security/cve/CVE-2022-46877.html https://www.suse.com/security/cve/CVE-2023-23598.html https://www.suse.com/security/cve/CVE-2023-23601.html https://www.suse.com/security/cve/CVE-2023-23602.html https://www.suse.com/security/cve/CVE-2023-23603.html https://www.suse.com/security/cve/CVE-2023-23605.html https://bugzilla.suse.com/1207119 . Essential patch for MozillaFirefox on openSUSE addresses 7 vulnerabilities, enhancing security measures and optimizing functionality throughout various distributions.. MozillaFirefox Update, openSUSE Security, 2023 Security Advisory. . Severity: Critical. LinuxSecurity.com Team
Jan 20, 2023
•Critical
OpenSUSE
203
security advisoryMozillasecurity issuesMageia: 2022-0221 Moderate: Thunderbird Email Safety Risks and Fixes
When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name . MGASA-2022-0221 - Updated thunderbird packages fix security vulnerability Publication date: 04 Jun 2022 URL: https://advisories.mageia.org/MGASA-2022-0221.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-1834, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31747 When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature (CVE-2022-1834). A malicious website could have learned the size of a cross-origin resource that supported Range requests (CVE-2022-31736). A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash (CVE-2022-31737). When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks (CVE-2022-31738). On arm64, WASM code could have resulted in incorrect assembly generation leading to aregister allocation problem, and a potentially exploitable crash (CVE-2022-31740). A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption (CVE-2022-31741). An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals (CVE-2022-31742). Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code References: - https://bugs.mageia.org/show_bug.cgi?id=30499 - https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/ - https://www.thunderbird.net/en-US/thunderbird/91.10.0/releasenotes/ - https://access.redhat.com/errata/RHSA-2022:4892 - https://www.cve.org/CVERecord?id=CVE-2022-1834 - https://www.cve.org/CVERecord?id=CVE-2022-31736 - https://www.cve.org/CVERecord?id=CVE-2022-31737 - https://www.cve.org/CVERecord?id=CVE-2022-31738 - https://www.cve.org/CVERecord?id=CVE-2022-31740 - https://www.cve.org/CVERecord?id=CVE-2022-31741 - https://www.cve.org/CVERecord?id=CVE-2022-31742 - https://www.cve.org/CVERecord?id=CVE-2022-31747 SRPMS: - 8/core/thunderbird-91.10.0-1.mga8 - 8/core/thunderbird-l10n-91.10.0-1.mga8 . The recent update for Mageia's Thunderbird fixes a variety of vulnerabilities identified on June 4, 2022, boosting email security.. Thunderbird Security, Mageia Updates, Email Safety. . LinuxSecurity.com Team
Jun 04, 2022
Mageia
203
security advisorymemory corruptionthunderbirdMageia: MGASA-2021-0506 Moderate: Thunderbird Security Threats
Updated thunderbird packages fix security vulnerabilities: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503). . MGASA-2021-0506 - Updated thunderbird packages fix security vulnerabilities Publication date: 10 Nov 2021 URL: https://advisories.mageia.org/MGASA-2021-0506.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-XXXX Updated thunderbird packages fix security vulnerabilities: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503). When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash (CVE-2021-38504). Through a series of navigations, Thunderbird could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing (CVE-2021-38506). The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage (CVE-2021-38507). A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash (MOZ-2021-0008). By displaying a form validity message in the correctlocation at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission (CVE-2021-38508). Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing (CVE-2021-38509). Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (MOZ-2021-0007). References: - https://bugs.mageia.org/show_bug.cgi?id=29625 - https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ - https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/ - https://www.cve.org/CVERecord?id=CVE-2021-XXXX SRPMS: - 8/core/thunderbird-91.3.0-1.mga8 - 8/core/thunderbird-l10n-91.3.0-1.mga8 . Revised Firefox distributions tackle critical vulnerabilities like memory leaks, confinement failures, and web impersonation threats.. Thunderbird Security,Mageia Updates,Iframe Threats,Memory Corruption Fixes. . LinuxSecurity.com Team
Nov 10, 2021
Mageia
87
security advisorycriticalcode executionDebian: DSA-4875-1 High: Thunderbird Security Flaw Risk
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing attacks. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4874-1
Mar 24, 2021
Debian
98
security advisoryRed Hatimportant impactRedHat: RHSA-2020-2054-01 Important: Open Liberty Runtime Security Fix
Open Liberty 20.0.0.5 Runtime is now available from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Open Liberty 20.0.0.5 Runtime security update Advisory ID: RHSA-2020:2054-01 Product: Open Liberty Advisory URL: https://access.redhat.com/errata/RHSA-2020:2054 Issue date: 2020-05-11 CVE Names: CVE-2020-4329 CVE-2020-4421 ==================================================================== 1. Summary: Open Liberty 20.0.0.5 Runtime is now available from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Open Liberty is a lightweight open framework for building fast and efficient cloud-native Java microservices. This release of Open Liberty 20.0.0.5 serves as a replacement for Open Liberty 20.0.0.4 and includes security fixes, bug fixes, and enhancements. For specific information about this release, see links in the References section. Security Fix(es): * Information disclosure in WebSphere Application Server (CVE-2020-4329) * Potential spoofing attack in Webshere Application Server (CVE-2020-4421) For more details about the security issue(s), see the IBM Security Bulletin links for each CVE, listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratumcontains a download link (you must log in to download the update). 4. JIRA issues fixed ( IBMRT-26 - Release Open Liberty 20.0.0.5 5. References: https://access.redhat.com/security/cve/CVE-2020-4329 https://access.redhat.com/security/cve/CVE-2020-4421 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=open.liberty&downloadType=distributions&version=20.0.0.5 https://www.ibm.com/support/pages/node/6201862 https://www.ibm.com/support/pages/node/6205926 https://access.redhat.com/articles/4544981 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrlVOtzjgjWX9erEAQi4RQ/+LkTDq1YwoWoLnZseiqm3LXmgBjrosXhC xAFG3VJgtRWw8GBsWda/Ayb5bhxudsGbNCXzxRAOLUTmE3RoGYdiX1ul/UQQ8UXU JVgECe/R2NLePYWPxoK8hTEPSN4YRwhq+laHoYvjJX0/dq6BblV4N4otG0f661cc HODThkkzPYaCQup7OIxz/OfM/UpiaXDwU5I+WeIDUjAxAeJfkHLKmU3YtENSFf+T qBUnjoE81qdqEjoSLIlIBhiMqNAopyPCSEwuA5AfZ8/ESnBeOECHLaqeM0kpxt35 f5H3SRYHnIQ0qjYYwWQJajLCgxu5lYVhZnS68hekHcsilCdEtojyaFmt674iHWOO AqHqDOyAcFMttP5+EGiawaRKKIN5cF0SGRBmQA3G9FWQPk5oDNXOvnt+42rJ35+O 4wErBjfCv8r/cnGkIbeECSparqKmYkU763lc+haurOr2dUnMk+2uawVFWxG/VFeP NAo/ju4o7tjrgOJWNyl3mxQ4xa6BX+nGZx9U+gdaVxVVSH0F4uXNgKyzkOqYHU0c gJ9gdz0QIjvvv0g/PGp4wi0xgTuCpZdme2hGauYuptqkZkr+cBzjrIBOAT1GVZ74 mVzDmZ3Rw09dUJ3EK9eKUsMwVIe5vvE08tpA7Zp3M4fxM+PHtS1ysSnk74dQfQ51 GsqdCwdtxCc=RzY1 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 11, 2020
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!