This week, important updates have been issued for Firefox, Thunderbird and the cpio general file archiver utility.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our site!
Yours in Open Source,
Various remotely-exploitable memory safety bugs in Firefox before version 91 have been discovered by Mozilla developers and community members (CVE-2021-29980, CVE-2021-29981, CVE-2021-29982 and CVE-2021-29984).
A remote attacker could exploit these flaws to execute arbitrary code or trick users into accepting additional site permissions through maliciously crafted webcontent.
These problems have been fixed upstream in Firefox version 91.0. Upgrade Firefox to version 91.0-1 immediately to protect sensitive data and prevent system compromise.
Multiple important security vulnerabilities have been discovered in the Thunderbird mail and newsgroup client. These issues include uninitialized memory in a canvas object (CVE-2021-29980), incorrect instruction reordering during JIT optimization (CVE-2021-29984), a race condition when resolving DNS names (CVE-2021-29986), incorrect style treatment (CVE-2021-29988), use-after-free media channels (CVE-2021-29985) and memory safety bugs (CVE-2021-29989).
These flaws could result in memory corruption and the execution of arbitrary code.
These problems have been fixed in Thunderbird version 78.13.0. Upgrade to Thunderbird 78.13.0 now to protect the security and integrity of your system.
SUSE and openSUSE users are at heightened risk this week, as critical regressions in previous updates for the cpio general file archiver utility remedying CVE-2021-38185 have been discovered, leaving SUSE and openSUSE systems vulnerable to attack.
These issues could result in remote code execution (RCE) due to an integer overflow, a segmentation fault in cpio and system crashes.
SUSE and openSUSE have released updates fixing these regressions. We urge users to update immediately to protect against these serious threats to the security and availability of their systems.