alsa-2024:9552
Vulnerability from osv_almalinux
Published
2024-11-13 00:00
Modified
2024-11-18 18:10
Summary
Important: thunderbird security update
Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)
  • firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)
  • firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)
  • firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)
  • firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)
  • firefox: thunderbird: Clipboard "paste" button persisted across tabs (CVE-2024-10465)
  • firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)
  • firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)
  • firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)
  • firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.4.0-1.el9_5.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)\n  * firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)\n  * firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)\n  * firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)\n  * firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)\n  * firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)\n  * firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)\n  * firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)\n  * firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)\n  * firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)\n  * firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2024:9552",
  "modified": "2024-11-18T18:10:34Z",
  "published": "2024-11-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:9552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10458"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10459"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10460"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10461"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10462"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10463"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10464"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10467"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9680"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2317442"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322424"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322425"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322428"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322429"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322433"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322434"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322438"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322439"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322440"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2322444"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-9552.html"
    }
  ],
  "related": [
    "CVE-2024-9680",
    "CVE-2024-10464",
    "CVE-2024-10461",
    "CVE-2024-10458",
    "CVE-2024-10459",
    "CVE-2024-10467",
    "CVE-2024-10465",
    "CVE-2024-10466",
    "CVE-2024-10463",
    "CVE-2024-10462",
    "CVE-2024-10460"
  ],
  "summary": "Important: thunderbird security update"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.