==========================================================================
Ubuntu Security Notice USN-6750-1
April 25, 2024

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852,
CVE-2024-3864)

Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)

Lukas Bernhard discovered that Thunderbird did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information. (CVE-2024-3854)

Lukas Bernhard discovered that Thunderbird did not properly manage memory
when handling JIT created code during garbage collection. An attacker
could potentially exploit this issue to cause a denial of service, or
execute arbitrary code. (CVE-2024-3857)

Ronald Crane discovered that Thunderbird did not properly manage memory in
the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-3859)

Ronald Crane discovered that Thunderbird did not properly manage memory
when handling an AlignedBuffer. An attacker could potentially exploit this
issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  thunderbird                     1:115.10.1+build1-0ubuntu0.23.10.1

Ubuntu 22.04 LTS:
  thunderbird                     1:115.10.1+build1-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
  thunderbird                     1:115.10.1+build1-0ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6750-1
  CVE-2024-2609, CVE-2024-3302, CVE-2024-3852, CVE-2024-3854,
  CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864

Package Information:
  https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.23.10.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.22.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.20.04.1

Ubuntu 6750-1: Thunderbird Security Advisory Updates

April 25, 2024
Several security issues were fixed in Thunderbird.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852, CVE-2024-3864) Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3302) Lukas Bernhard discovered that Thunderbird did not properly manage memory during JIT optimisations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3854) Lukas Bernhard discovered that Thunderbird did not properly manage memory when handling JIT created code during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3857) Ronald Crane discovered that Thunderbird did not properly manage memory in the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3859) Ronald Crane discovered that Thunderbird did not properly manage memory when handling an AlignedBuffer. An attacker could potentially exploit this issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861)

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.10.1+build1-0ubuntu0.23.10.1 Ubuntu 22.04 LTS: thunderbird 1:115.10.1+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.10.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6750-1

CVE-2024-2609, CVE-2024-3302, CVE-2024-3852, CVE-2024-3854,

CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864

Severity
Ubuntu Security Notice USN-6750-1

Package Information

https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.20.04.1

Related News

2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved