MGASA-2023-0266 - Updated firefox/thunderbird packages fix security vulnerability

Publication date: 24 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0266.html
Type: security
Affected Mageia releases: 8, 9
CVE: CVE-2023-3600,
     CVE-2023-4045,
     CVE-2023-4046,
     CVE-2023-4047,
     CVE-2023-4048,
     CVE-2023-4049,
     CVE-2023-4050,
     CVE-2023-4051,
     CVE-2023-4053,
     CVE-2023-4055,
     CVE-2023-4056,
     CVE-2023-4057,
     CVE-2023-4573,
     CVE-2023-4574,
     CVE-2023-4575,
     CVE-2023-4576,
     CVE-2023-4577,
     CVE-2023-4578,
     CVE-2023-4580,
     CVE-2023-4581,
     CVE-2023-4583,
     CVE-2023-4584,
     CVE-2023-4585,
     CVE-2023-4863

Use-after-free in workers. (CVE-2023-3600)

File Extension Spoofing using the Text Direction Override Character.
(CVE-2023-3417)

Offscreen Canvas could have bypassed cross-origin restrictions.
(CVE-2023-4045)

Incorrect value used during WASM compilation. (CVE-2023-4046)

Potential permissions request bypass via clickjacking. (CVE-2023-4047)

Crash in DOMParser due to out-of-memory conditions. (CVE-2023-4048)

Fix potential race conditions when releasing platform objects.
(CVE-2023-4049)

Stack buffer overflow in StorageManager. (CVE-2023-4050)

Cookie jar overflow caused unexpected cookie jar state. (CVE-2023-4055)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR
102.14, Thunderbird 115.1, and Thunderbird 102.14. (CVE-2023-4056)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and
Thunderbird 115.1. (CVE-2023-4057)

Memory corruption in IPC CanvasTranslator. (CVE-2023-4573)

Memory corruption in IPC ColorPickerShownCallback. (CVE-2023-4574)

Memory corruption in IPC FilePickerShownCallback. (CVE-2023-4575)

Integer Overflow in RecordedSourceSurfaceCreation. (CVE-2023-4576)

Memory corruption in JIT UpdateRegExpStatics. (CVE-2023-4577)

Full screen notification obscured by file open dialog. (CVE-2023-4051)

Error reporting methods in SpiderMonkey could have triggered an Out of
Memory Exception. (CVE-2023-4578)

Full screen notification obscured by external program. (CVE-2023-4053)

Push notifications saved to disk unencrypted. (CVE-2023-4580)

XLL file extensions were downloadable without warnings. (CVE-2023-4581)

Browsing Context potentially not cleared when closing Private Window.
(CVE-2023-4583)

Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR
115.2, Thunderbird 102.15, and Thunderbird 115.2. (CVE-2023-4584)

Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and
Thunderbird 115.2. (CVE-2023-4585)

Heap buffer overflow in libwebp. (CVE-2023-4863)

References:
- https://bugs.mageia.org/show_bug.cgi?id=32258
- https://www.mozilla.org/en-US/firefox/115.0.1/releasenotes/
- https://www.mozilla.org/en-US/firefox/115.0.2/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/
- https://www.mozilla.org/en-US/firefox/115.0.3/releasenotes/
- https://www.mozilla.org/en-US/firefox/115.1.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
- https://www.mozilla.org/en-US/firefox/115.2.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html
- https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
- https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/115.0.1/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/
- https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/
- https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/
- https://www.mozilla.org/en-US/firefox/115.2.1/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3600
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4047
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4048
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4050
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4051
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4053
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4055
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4056
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4057
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4573
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4574
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4575
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4576
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4577
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4578
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4580
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4581
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4584
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4585
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

SRPMS:
- 9/core/rootcerts-20230720.00-1.mga9
- 9/core/nss-3.93.0-1.mga9
- 9/core/firefox-115.2.1-1.mga9
- 9/core/firefox-l10n-115.2.1-1.mga9
- 9/core/thunderbird-115.2.2-1.mga9
- 9/core/thunderbird-l10n-115.2.2-1.mga9
- 8/core/rootcerts-20230720.00-1.mga8
- 8/core/nss-3.93.0-1.mga8
- 8/core/firefox-102.15.1-1.mga8
- 8/core/firefox-l10n-102.15.1-1.mga8
- 8/core/thunderbird-102.15.1-1.mga8
- 8/core/thunderbird-l10n-102.15.1-1.mga8

Mageia 2023-0266: firefox/thunderbird security update

Use-after-free in workers

Summary

Use-after-free in workers. (CVE-2023-3600)
File Extension Spoofing using the Text Direction Override Character. (CVE-2023-3417)
Offscreen Canvas could have bypassed cross-origin restrictions. (CVE-2023-4045)
Incorrect value used during WASM compilation. (CVE-2023-4046)
Potential permissions request bypass via clickjacking. (CVE-2023-4047)
Crash in DOMParser due to out-of-memory conditions. (CVE-2023-4048)
Fix potential race conditions when releasing platform objects. (CVE-2023-4049)
Stack buffer overflow in StorageManager. (CVE-2023-4050)
Cookie jar overflow caused unexpected cookie jar state. (CVE-2023-4055)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. (CVE-2023-4056)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. (CVE-2023-4057)
Memory corruption in IPC CanvasTranslator. (CVE-2023-4573)
Memory corruption in IPC ColorPickerShownCallback. (CVE-2023-4574)
Memory corruptio...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=32258

- https://www.mozilla.org/en-US/firefox/115.0.1/releasenotes/

- https://www.mozilla.org/en-US/firefox/115.0.2/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/

- https://www.mozilla.org/en-US/firefox/115.0.3/releasenotes/

- https://www.mozilla.org/en-US/firefox/115.1.0/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/

- https://www.mozilla.org/en-US/firefox/115.2.0/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html

- https://firefox-source-docs.mozilla.org/security/nss/releases/index.html

- https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/115.0.1/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/

- https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/

- https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/

- https://www.mozilla.org/en-US/firefox/115.2.1/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3600

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4045

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4046

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4047

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4048

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4049

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4050

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4051

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4053

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4055

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4056

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4057

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4573

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4574

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4575

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4576

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4577

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4578

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4580

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4581

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4583

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4584

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4585

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

Resolution

MGASA-2023-0266 - Updated firefox/thunderbird packages fix security vulnerability

SRPMS

- 9/core/rootcerts-20230720.00-1.mga9

- 9/core/nss-3.93.0-1.mga9

- 9/core/firefox-115.2.1-1.mga9

- 9/core/firefox-l10n-115.2.1-1.mga9

- 9/core/thunderbird-115.2.2-1.mga9

- 9/core/thunderbird-l10n-115.2.2-1.mga9

- 8/core/rootcerts-20230720.00-1.mga8

- 8/core/nss-3.93.0-1.mga8

- 8/core/firefox-102.15.1-1.mga8

- 8/core/firefox-l10n-102.15.1-1.mga8

- 8/core/thunderbird-102.15.1-1.mga8

- 8/core/thunderbird-l10n-102.15.1-1.mga8

Severity
Publication date: 24 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0266.html
Type: security
CVE: CVE-2023-3600, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-4863

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved