Your data is a valuable asset that must always be protected against theft and compromise. That’s why, as LinuxSecurity.com Content Editor, I’m here to alert fellow Ubuntu users of recent fixes for two notorious Node.js vulnerabilities that a remote attacker could exploit to obtain sensitive information or execute arbitrary code on your systems. With over 30 million websites using the cross-platform, open-source server environment, these vulnerabilities have had a widespread impact since their discovery in 2019. Due to the severe confidentiality and integrity threat they pose to impacted users, Ubuntu has now taken action to mitigate these serious bugs. Read on to learn how to ensure your systems are updated and secure.

We also have other significant discoveries and fixes for you, including mitigations for a critical, actively exploited zero-day vulnerability in Thunderbird and Firefox (CVE-2023-4863) that is among the most severe we have seen in a while. This bug could allow a remote attacker to execute arbitrary code to hijack an impacted device if left unpatched. It's essential that you stay up-to-date on these issues to safeguard your system from any potential harm.  

Did you find today’s newsletter informative and helpful? If so, please pay it forward and share it with a fellow security geek to help them safeguard their systems against these dangerous vulnerabilities. We also welcome feedback on how we could improve our newsletters or our site. If you have any thoughts or suggestions, please share them with us. Have a Linux security-related topic you'd like to cover for our audience? We welcome contributions from insightful, passionate community members who share our love for Linux security!

Stay safe out there,

Brittany Signature 150

Node.js

The Discovery 

Several significant security issues were fixed in Node.js, including two critical vulnerabilities that have received a National Vulnerability Database base score of 9.8 out of 10. CVE-2019-15605 is an HTTP request smuggling bug in Node.js 10, 12, and 13 that causes malicious payload delivery when transfer-encoding is malformed, and CVE-2019-15606 is an authorization bypass issue in Nodejs 10, 12, and 13.

Nodejs

The Impact

A remote attacker could possibly use these issues to obtain sensitive information or execute arbitrary code.

The Fix

Essential Node.js security updates have been released to fix these severe flaws. We urge all impacted users to update immediately to protect their critical systems and sensitive data against attacks leading to compromise.

Your Related Advisories:

Register to Customize Your Advisories

Thunderbird

The Discovery 

Distros continue to release updates addressing a zero-day heap buffer overflow vulnerability in the WebP image format in Thunderbird (CVE-2023-4863). This bug has received a severity rating of “Critical”.

Thunderbird

The Impact

This issue could enable a remote attacker to execute arbitrary code when processing a specially crafted image.

The Fix

Thunderbird has released important security updates mitigating this severe flaw. We strongly recommend that all impacted users apply these updates now to protect against crashes and prevent adversaries from hijacking their critical systems.

Your Related Advisories:

Register to Customize Your Advisories

Firefox 

The Discovery 

Distros are also releasing updates for Firefox, which is also impacted by the previously mentioned critical heap buffer overflow vulnerability in the WebP image format (CVE-2023-4863). 

Firefox

The Impact

This vulnerability could allow a remote attacker to execute arbitrary code to gain control over an affected device.

The Fix

Mozilla has released crucial updates for Firefox that fix this impactful issue. We strongly encourage all affected users to apply these updates as soon as possible to protect against attacks leading to loss of system access and potential compromise.

Your Related Advisories:

Register to Customize Your Advisories