Advisories » MGASA-2023-0266

Updated firefox/thunderbird packages fix security vulnerability

Publication date: 24 Sep 2023
Modification date: 24 Sep 2023
Type: security
Affected Mageia releases : 8 , 9
CVE: CVE-2023-3600 , CVE-2023-4045 , CVE-2023-4046 , CVE-2023-4047 , CVE-2023-4048 , CVE-2023-4049 , CVE-2023-4050 , CVE-2023-4051 , CVE-2023-4053 , CVE-2023-4055 , CVE-2023-4056 , CVE-2023-4057 , CVE-2023-4573 , CVE-2023-4574 , CVE-2023-4575 , CVE-2023-4576 , CVE-2023-4577 , CVE-2023-4578 , CVE-2023-4580 , CVE-2023-4581 , CVE-2023-4583 , CVE-2023-4584 , CVE-2023-4585 , CVE-2023-4863

Description

Use-after-free in workers. (CVE-2023-3600)

File Extension Spoofing using the Text Direction Override Character.
(CVE-2023-3417)

Offscreen Canvas could have bypassed cross-origin restrictions.
(CVE-2023-4045)

Incorrect value used during WASM compilation. (CVE-2023-4046)

Potential permissions request bypass via clickjacking. (CVE-2023-4047)

Crash in DOMParser due to out-of-memory conditions. (CVE-2023-4048)

Fix potential race conditions when releasing platform objects.
(CVE-2023-4049)

Stack buffer overflow in StorageManager. (CVE-2023-4050)

Cookie jar overflow caused unexpected cookie jar state. (CVE-2023-4055)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR
102.14, Thunderbird 115.1, and Thunderbird 102.14. (CVE-2023-4056)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and
Thunderbird 115.1. (CVE-2023-4057)

Memory corruption in IPC CanvasTranslator. (CVE-2023-4573)

Memory corruption in IPC ColorPickerShownCallback. (CVE-2023-4574)

Memory corruption in IPC FilePickerShownCallback. (CVE-2023-4575)

Integer Overflow in RecordedSourceSurfaceCreation. (CVE-2023-4576)

Memory corruption in JIT UpdateRegExpStatics. (CVE-2023-4577)

Full screen notification obscured by file open dialog. (CVE-2023-4051)

Error reporting methods in SpiderMonkey could have triggered an Out of
Memory Exception. (CVE-2023-4578)

Full screen notification obscured by external program. (CVE-2023-4053)

Push notifications saved to disk unencrypted. (CVE-2023-4580)

XLL file extensions were downloadable without warnings. (CVE-2023-4581)

Browsing Context potentially not cleared when closing Private Window.
(CVE-2023-4583)

Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR
115.2, Thunderbird 102.15, and Thunderbird 115.2. (CVE-2023-4584)

Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and
Thunderbird 115.2. (CVE-2023-4585)

Heap buffer overflow in libwebp. (CVE-2023-4863)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32258
• https://www.mozilla.org/en-US/firefox/115.0.1/releasenotes/
• https://www.mozilla.org/en-US/firefox/115.0.2/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/
• https://www.mozilla.org/en-US/firefox/115.0.3/releasenotes/
• https://www.mozilla.org/en-US/firefox/115.1.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
• https://www.mozilla.org/en-US/firefox/115.2.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/
• https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html
• https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
• https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/115.0.1/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/
• https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/
• https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/
• https://www.mozilla.org/en-US/firefox/115.2.1/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes/
• https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3600
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4045
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4046
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4047
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4048
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4049
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4050
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4051
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4053
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4055
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4056
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4057
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4573
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4574
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4575
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4576
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4577
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4578
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4580
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4581
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4583
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4584
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4585
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

SRPMS

8/core

• rootcerts-20230720.00-1.mga8
• nss-3.93.0-1.mga8
• firefox-102.15.1-1.mga8
• firefox-l10n-102.15.1-1.mga8
• thunderbird-102.15.1-1.mga8
• thunderbird-l10n-102.15.1-1.mga8

9/core

• rootcerts-20230720.00-1.mga9
• nss-3.93.0-1.mga9
• firefox-115.2.1-1.mga9
• firefox-l10n-115.2.1-1.mga9
• thunderbird-115.2.2-1.mga9
• thunderbird-l10n-115.2.2-1.mga9