This week, important updates have been issued for OpenJDK, Lasso and Thunderbird.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!
Yours in Open Source,
OpenJDK The Discovery
Several dangerous vulnerabilities have been discovered in the OpenJDK 11 Java Runtime Environment (CVE-2021-2341, CVE-2021-2369 and CVE-2021-2388).
These issues could result in bypass of sandbox restrictions, incorrect validation of signed Jars, or information disclosure.
We recommend that you upgrade your openjdk-11 packages to OpenJDK 11.0.12 (2021-07-20) immediately to mitigate these flaws.
An important XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091) has been discovered in the Lasso library, which implements the Liberty Alliance Single SignOn standards, including the SAML and SAML2 specifications.
This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Lasso has released an update that fixes this issue. Users should update their systems as soon as possible to protect sensitive data and prevent downtime.
Several important security issues have been discovered in the Mozilla Thunderbird mail and newsgroup client.
These vulnerabilities include a out of bounds write in ANGLE impacting the Chromium browser (CVE-2021-30547), a use-after-free in accessibility features of a document (CVE-2021-29970), memory safety bugs in Firefox 90 and Firefox ESR 78.12, and a flaw that could allow IMAP server responses sent by a MITM prior to STARTTLS to be processed (CVE-2021-29969).
Mozilla has released an update upgrading Thunderbird to version 78.12.0, which fixes these issues. Update Thunderbird now to prevent attacks and protect sensitive information.