[ALAS2-2023-1988] Amazon Linux 2 2017.12 - ALAS2-2023-1988: important priority package update for thunderbird

Severity Important

Affected Packages 4

CVEs 5

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2023-28176:
Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and ESR 102.8. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

CVE-2023-28163:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue that when downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the current user's context. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.

CVE-2023-28162:
This issue affects Firefox and Thunderbird ESR 102.8 and earlier. The Mozilla Foundation describes this issue as follows:

While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash.

CVE-2023-25752:
The Mozilla Foundation describes this issue as follows:

When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable.

CVE-2023-25751:
The Mozilla Foundation describes this issue as follows:

Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash.

Package	Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	< 102.9.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	< 102.9.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	< 102.9.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	< 102.9.0-1.amzn2.0.1

ID

ALAS2-2023-1988

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2023-1988.html

Published

2023-03-17T16:34:00
(18 months ago)

Modified

2023-03-21T23:24:00
(18 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2023-25751	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25751
CVE	CVE-2023-25752	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25752
CVE	CVE-2023-28162	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28162
CVE	CVE-2023-28163	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28163
CVE	CVE-2023-28176	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28176

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird	< 102.9.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird	< 102.9.0-1.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 102.9.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 102.9.0-1.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date