[ALAS2-2023-2051] Amazon Linux 2 2017.12 - ALAS2-2023-2051: important priority package update for thunderbird

Severity Important

Affected Packages 4

CVEs 7

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2023-32215:
Mozilla developers and community members reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2023-32213:
The Mozilla Foundation Security Advisory describes this flaw as:

When reading a file, an uninitialized value could have been used as read limit.

CVE-2023-32212:
The Mozilla Foundation Security Advisory describes this flaw as:

An attacker could have positioned a datalist element to obscure the address bar.

CVE-2023-32211:
The Mozilla Foundation Security Advisory describes this flaw as:

A type checking bug would have led to invalid code being compiled.

CVE-2023-32207:
The Mozilla Foundation Security Advisory describes this flaw as:

A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions.

CVE-2023-32206:
The Mozilla Foundation Security Advisory describes this flaw as:

An out-of-bound read could have led to a crash in the RLBox Expat driver.

CVE-2023-32205:
In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks.

Package	Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	< 102.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	< 102.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	< 102.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	< 102.11.0-1.amzn2.0.1

ID

ALAS2-2023-2051

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2023-2051.html

Published

2023-05-25T17:41:00
(16 months ago)

Modified

2023-06-01T23:37:00
(15 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2023-32205	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32205
CVE	CVE-2023-32206	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32206
CVE	CVE-2023-32207	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32207
CVE	CVE-2023-32211	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32211
CVE	CVE-2023-32212	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32212
CVE	CVE-2023-32213	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32213
CVE	CVE-2023-32215	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32215

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird	< 102.11.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird	< 102.11.0-1.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 102.11.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 102.11.0-1.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date