[ALAS2-2022-1855] Amazon Linux 2 2017.12 - ALAS2-2022-1855: important priority package update for thunderbird

Severity Important

Affected Packages 4

CVEs 8

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2022-38478:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of members on the Mozilla Fuzzing Team reporting memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

CVE-2022-38477:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of Mozilla developer Nika Layzell and the Mozilla Fuzzing Team, reporting memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

CVE-2022-38476:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a data race that could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password.

CVE-2022-38473:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a cross-origin iframe referencing an XSLT document inheriting the parent domain's permissions (such as microphone or camera access).

CVE-2022-38472:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of an attacker abusing XSLT error handling to associate attacker-controlled content with another origin, which was displayed in the address bar. This issue could be used to fool the user into submitting data intended for the spoofed origin.

CVE-2022-36319:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

CVE-2022-36318:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

CVE-2022-2505:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of Mozilla developers and the Mozilla Fuzzing Team reporting memory safety bugs in Firefox 102. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

Package	Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	< 91.13.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	< 91.13.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	< 91.13.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	< 91.13.0-1.amzn2.0.1

ID

ALAS2-2022-1855

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2022-1855.html

Published

2022-09-30T07:04:00
(23 months ago)

Modified

2022-10-10T21:54:00
(23 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2022-2505	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2505
CVE	CVE-2022-36318	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36318
CVE	CVE-2022-36319	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36319
CVE	CVE-2022-38472	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38472
CVE	CVE-2022-38473	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
CVE	CVE-2022-38476	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476
CVE	CVE-2022-38477	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477
CVE	CVE-2022-38478	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird	< 91.13.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird	< 91.13.0-1.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 91.13.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 91.13.0-1.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date