This week, important updates have been issued for OpenJDK, Lasso and Thunderbird.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!
Yours in Open Source,
Thunderbird The Discovery
Several important security vulnerabilities have been discovered in the Mozilla Thunderbird mail and newsgroup client.
These issues include a out of bounds write in ANGLE impacting the Chromium browser (CVE-2021-30547), a use-after-free in accessibility features of a document (CVE-2021-29970), memory safety bugs in Firefox 90 and Firefox ESR 78.12, and a flaw that could allow IMAP server responses sent by a MITM prior to STARTTLS to be processed (CVE-2021-29969).
These problems have been fixed in Thunderbird version 78.12.0. Update to Thunderbird version 78.12.0 as soon as possible to protect sensitive data and prevent compromise.
A vulnerability has been discovered in the way that OpenSSH handles requests (CVE-2018-15473), which could introduce a regression in certain environments. Robert Swiecki also discovered that OpenSSH incorrectly handles certain messages (CVE-2016-10708).
These issues could be exploited by an attacker to access sensitive information.
OpenSSH has released fixes for these bugs. In general, a standard system update will make all the necessary changes.
An important XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091) has been identified in Lasso, a popular library used by many Linux distros which implements the Liberty Alliance Single SignOn standards, including the SAML and SAML2 specifications
This security issue could allow an attacker to modify a valid SAML response to include an unsigned SAML assertion, which could be used to impersonate another valid user recognized by the service using Lasso. The greatest threat that this vulnerability poses is to data confidentiality and integrity, as well as service availability.
An update is now available for Lasso that fixes this issue. We recommend that users update their systems immediately to safeguard sensitive information and prevent downtime.