[ALAS2-2024-2561] Amazon Linux 2 2017.12 - ALAS2-2024-2561: important priority package update for thunderbird

Severity Important

Affected Packages 4

CVEs 6

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2024-4777:
Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVE-2024-4770:
When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVE-2024-4769:
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVE-2024-4768:
A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVE-2024-4767:
If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVE-2024-4367:
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Package	Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	< 115.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	< 115.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	< 115.11.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	< 115.11.0-1.amzn2.0.1

ID

ALAS2-2024-2561

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2024-2561.html

Published

2024-06-06T20:17:00
(3 months ago)

Modified

2024-06-06T20:17:00
(3 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2024-4367	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4367
CVE	CVE-2024-4767	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4767
CVE	CVE-2024-4768	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4768
CVE	CVE-2024-4769	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4769
CVE	CVE-2024-4770	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4770
CVE	CVE-2024-4777	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4777

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird	< 115.11.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird	< 115.11.0-1.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 115.11.0-1.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 115.11.0-1.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date