Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2022-0097)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2022.0097

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2022-0097)

Zusammenfassung: The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2022-0097 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2022-0097 advisory.

Vulnerability Insight:
An attacker could have caused a use-after-free by forcing a text reflow in an
SVG object leading to a potentially exploitable crash (CVE-2022-26381).

When resizing a popup after requesting fullscreen access, the popup would not
display the fullscreen notification (CVE-2022-26383).

If an attacker could control the contents of an iframe sandboxed with
allow-popups but not allow-scripts, they were able to craft a link that, when
clicked, would lead to JavaScript execution in violation of the sandbox
(CVE-2022-26384).

Previously Thunderbird for macOS and Linux would download temporary files to
a user-specific directory in /tmp, but this behavior was changed to download
them to /tmp where they could be affected by other local users. This behavior
was reverted to the original, user-specific directory (CVE-2022-26386).

When installing an add-on, Thunderbird verified the signature before
prompting the user, but while the user was confirming the prompt, the
underlying add-on file could have been modified and Thunderbird would not
have noticed (CVE-2022-26387).

Affected Software/OS:
'thunderbird, thunderbird-l10n' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2022-26381
https://bugzilla.mozilla.org/show_bug.cgi?id=1736243
https://www.mozilla.org/security/advisories/mfsa2022-10/
https://www.mozilla.org/security/advisories/mfsa2022-11/
https://www.mozilla.org/security/advisories/mfsa2022-12/
Common Vulnerability Exposure (CVE) ID: CVE-2022-26383
https://bugzilla.mozilla.org/show_bug.cgi?id=1742421
Common Vulnerability Exposure (CVE) ID: CVE-2022-26384
https://bugzilla.mozilla.org/show_bug.cgi?id=1744352
Common Vulnerability Exposure (CVE) ID: CVE-2022-26386
https://bugzilla.mozilla.org/show_bug.cgi?id=1752396
Common Vulnerability Exposure (CVE) ID: CVE-2022-26387
https://bugzilla.mozilla.org/show_bug.cgi?id=1752979

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2022.0097
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2022-0097)
Zusammenfassung:	The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2022-0097 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2022-0097 advisory. Vulnerability Insight: An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash (CVE-2022-26381). When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification (CVE-2022-26383). If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox (CVE-2022-26384). Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory (CVE-2022-26386). When installing an add-on, Thunderbird verified the signature before prompting the user, but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed (CVE-2022-26387). Affected Software/OS: 'thunderbird, thunderbird-l10n' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2022-26381 https://bugzilla.mozilla.org/show_bug.cgi?id=1736243 https://www.mozilla.org/security/advisories/mfsa2022-10/ https://www.mozilla.org/security/advisories/mfsa2022-11/ https://www.mozilla.org/security/advisories/mfsa2022-12/ Common Vulnerability Exposure (CVE) ID: CVE-2022-26383 https://bugzilla.mozilla.org/show_bug.cgi?id=1742421 Common Vulnerability Exposure (CVE) ID: CVE-2022-26384 https://bugzilla.mozilla.org/show_bug.cgi?id=1744352 Common Vulnerability Exposure (CVE) ID: CVE-2022-26386 https://bugzilla.mozilla.org/show_bug.cgi?id=1752396 Common Vulnerability Exposure (CVE) ID: CVE-2022-26387 https://bugzilla.mozilla.org/show_bug.cgi?id=1752979
Copyright	Copyright (C) 2022 Greenbone AG