Updated thunderbird packages fix security vulnerabilities
Publication date: 27 Apr 2024Modification date: 27 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-3852 , CVE-2024-3854 , CVE-2024-3857 , CVE-2024-2609 , CVE-2024-3859 , CVE-2024-3861 , CVE-2024-3302 , CVE-2024-3864
Description
CVE-2024-3852: GetBoundName in the JIT returned the wrong object
CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
CVE-2024-3857: Incorrect JITting of arguments led to use-after-free
during garbage collection
CVE-2024-2609: Permission prompt input delay could expire when not in
focus
CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the
OpenType sanitizer
CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
CVE-2024-3863: Download Protections were bypassed by .xrm-ms files on
Windows
CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames
CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR
115.10, and Thunderbird 115.10
References
- https://bugs.mageia.org/show_bug.cgi?id=33123
- https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3852
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3854
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3857
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2609
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3859
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3861
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3302
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3864
SRPMS
9/core
- thunderbird-115.10.1-1.mga9
- thunderbird-l10n-115.10.1-1.mga9