Thunderbird reported multiple high-impact security issues this week which could result in denial of service (DoS) attacks leading to potentially exploitable crashes, the execution of arbitrary code, or spoofing attacks. Learn if you are impacted, and how to secure your systems against potential downtime and compromise.

Also reported this week were several important bugs in the Linux kernel for Intel IoT platforms, where a remote attacker could exploit to launch denial of service (DoS) attacks leading to crashes and kernel deadlock, expose sensitive information (kernel memory), or execute arbitrary code. A remotely exploitable bug has also been identified in the Kerberos network authentication protocol, which could lead to denial of service (DoS), or have other unspecified impacts. It is crucial that all impacted users update immediately to protect the confidentiality of their sensitive information and prevent loss of access to their critical systems. 

Read on to learn about other significant issues that have been fixed, and how to secure your systems against them.

Yours in Open Source,

Brittany Signature 150 Esm W150

Thunderbird

The Discovery 

Multiple security issues were discovered in Thunderbird, including a high-impact vulnerability involving the incorrect code generation during JIT compilation (CVE-2023-25751), and high-severity memory safety bugs present in Thunderbird 102.8 (CVE-2023-28176).

Thunderbird Esm W226

The Impact

These flaws could result in denial of service (DoS) attacks leading to potentially exploitable crashes, the execution of arbitrary code, or spoofing attacks.

The Fix

These issues have been fixed in Thunderbird 102.9.0, a security and bug fix update and the latest stable version of the open source email client. We strongly recommend that all impacted users update to Thunderbird 102.9.0 immediately to protect against attacks leading to downtime and system compromise.

Your Related Advisories:

[distro_list_1]

Linux Kernel (Intel IoTG)

The Discovery 

Several bugs were discovered in the Linux kernel for Intel IoT platforms, including a remotely exploitable use-after-free vulnerability in the NFSD implementation in the Linux kernel (CVE-2022-4379).

LinuxKernel Esm W206

The Impact

These issues could result in denial of service (DoS) attacks leading to crashes and kernel deadlock, the execution of arbitrary code, or the exposure of sensitive information (kernel memory).

The Fix

Updated package versions are available for the kernel that mitigate these bugs. We urge all impacted users to update now to protect the confidentiality, integrity and availability of their systems and their sensitive information.

Your Related Advisories:

[distro_list_2]

Kerberos

The Discovery 

Two security vulnerabilities were found in the Kerberos network authentication protocol. It was discovered that Kerberos incorrectly handled memory when processing KDC data, which could lead to a NULL pointer dereference (CVE-2021-36222 and  CVE-2021-37750).

Kerberos Esm W297

The Impact

These bugs could enable a remote attacker to cause a denial of service (DoS), or have other unspecified impacts.

The Fix

Updated Kerberos package versions have been released that fix these dangerous flaws. We recommend that all impacted users update as soon as possible to protect against exploits leading to crashes and unauthorized access to compromised systems.

Your Related Advisories:

[distro_list_3]