An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 115.12.1.
Security Fix(es):
* thunderbird: Use-after-free in networking (CVE-2024-5702)
* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)
* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)
* thunderbird: Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)
* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)
* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)
* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2024-5688: Use After Free (CWE-416) CVE-2024-5690: Covert Timing Channel (CWE-385) CVE-2024-5691: Improper Access Control (CWE-284) CVE-2024-5693: Inclusion of Functionality from Untrusted Control Sphere (CWE-829) CVE-2024-5696: Improper Validation of Specified Type of Input (CWE-1287) CVE-2024-5700: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120) CVE-2024-5702: Use After Free (CWE-416)
|