It’s a big deal when a critical security vulnerability is discovered in a program or application with tens of millions of users. We want to alert you of a critical memory safety bug (CVE-2023-4056) that recently brought Thunderbird into the spotlight, receiving a National Vulnerability Database base score of 9.8 out of 10.
This vulnerability and other severe flaws found in Thunderbird could be exploited to cause a denial of service, obtain sensitive information, bypass security restrictions, perform cross-site tracing, or execute arbitrary code on impacted systems. But don't panic just yet, Thunderbird users. As LinuxSecurity.com Content Editor, I've got you covered! Read on to ensure your systems are updated and secure - before it’s too late.
We also have other significant discoveries and fixes for you, including mitigations for a critical BusyBox stack overflow vulnerability that could enable an attacker to execute arbitrary code or cause a denial of service, and fixes for several severe, remotely exploitable Chromium vulnerabilities that could result in the execution of arbitrary code, denial of service, or information disclosure. It's essential that you stay up-to-date on these issues to protect your system from any potential harm.
Did this newsletter help you out? If so, please pay it forward and share it with a fellow security geek to help ensure their systems are updated and secure. We also welcome feedback on how we could improve our newsletters. If you have any comments or suggestions, please share them with us. Have a Linux security-related topic you'd like to cover and share with our audience? We welcome contributions from passionate, knowledgeable community members like you!
Stay safe out there,
ThunderbirdThe DiscoveryA critical memory safety bug has been discovered in Thunderbird 115.0 and Thunderbird 102.13 (CVE-2023-4056). Due to the severity of this vulnerability's threat to the confidentiality, integrity, and availability of impacted systems, it has received a National Vulnerability Database base score of 9.8 out of 10. Other severe vulnerabilities have also been found in Thunderbird, including improper validation of the Text Direction Override Unicode Character in filenames (CVE-2023-3417) and copying of an untrusted input stream to a stack buffer without checking its size (CVE-2023-4050). |
BusyBoxThe DiscoveryA critical stack overflow vulnerability has been discovered in ash.c:6030 in BusyBox before 1.35 (CVE-2022-48174). Due to the ease of exploitation and the severe threat it poses to the confidentiality, integrity, and availability of impacted systems, this bug has received a National Vulnerability Database base score of 9.8 out of 10. It was also discovered that BusyBox incorrectly handled certain malformed gzip archives (CVE-2021-28831). |
ChromiumThe DiscoveryDistros continue to release updates for several severe, remotely exploitable Chromium vulnerabilities, including out-of-bounds memory access in V8, CSS, and Fonts (CVE-2023-4427, CVE-2023-4428, and CVE-2023-4431), and use after frees in Loader and Vulkan (CVE-2023-4429 and CVE-2023-4430). Because of the significant threat these bugs pose to the confidentiality, integrity, and availability of impacted systems and their ease of exploitation, they have all received a National Vulnerability Database severity rating of “High”. |
