1. Home
  2. Security Advisories
  3. Amazon Linux
  4. ALAS2-2024-2629

[ALAS2-2024-2629] Amazon Linux 2 2017.12 - ALAS2-2024-2629: important priority package update for thunderbird

Severity Important
Affected Packages 4
CVEs 7
Info Packages References Vulnerabilities

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2024-7529:
The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7527:
Unexpected marking work at the start of sweeping could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7526:
ANGLE failed to initialize parameters which led to reading from uninitialized memory. This could be leveraged to leak sensitive data from memory. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7525:
It was possible for a web extension with minimal permissions to create a StreamFilter which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7522:
Editor code failed to check an attribute value. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7521:
Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

CVE-2024-7519:
Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

Package Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2 < 115.14.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2 < 115.14.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2 < 115.14.0-1.amzn2.0.1
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2 < 115.14.0-1.amzn2.0.1
ID
ALAS2-2024-2629
Severity
important
URL
https://alas.aws.amazon.com/AL2/ALAS-2024-2629.html
Published
2024-08-28T19:04:00
(3 weeks ago)
Modified
2024-08-28T19:04:00
(3 weeks ago)
Rights
Amazon Linux Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2 amazonlinux thunderbird < 115.14.0-1.amzn2.0.1 amazonlinux-2 x86_64
Affected pkg:rpm/amazonlinux/thunderbird?arch=aarch64&distro=amazonlinux-2 amazonlinux thunderbird < 115.14.0-1.amzn2.0.1 amazonlinux-2 aarch64
Affected pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2 amazonlinux thunderbird-debuginfo < 115.14.0-1.amzn2.0.1 amazonlinux-2 x86_64
Affected pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=aarch64&distro=amazonlinux-2 amazonlinux thunderbird-debuginfo < 115.14.0-1.amzn2.0.1 amazonlinux-2 aarch64
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date