Scientific Linux alert SLSA-2022:0538-1 (thunderbird)

From:
             
 
Farhan Ahmed <fahmed@fnal.gov>
To:
             
 
scientific-linux-errata@listserv.fnal.gov
Subject:
             
 
Security ERRATA Important: thunderbird on SL7.x x86_64
Date:
             
 
Tue, 15 Feb 2022 21:01:30 -0000
Message-ID:
             
 
<20220215210130.32393.13597@0acbe050e934>
Synopsis:          Important: thunderbird security update
Advisory ID:       SLSA-2022:0538-1
Issue Date:        2022-02-15
CVE Numbers:       CVE-2022-22754
                   CVE-2022-22756
                   CVE-2022-22760
                   CVE-2022-22761
                   CVE-2022-22763
                   CVE-2022-22759
                   CVE-2022-22764
--

This update upgrades Thunderbird to version 91.6.0.

Security Fix(es):

* Mozilla: Extensions could have bypassed permission confirmation during
update (CVE-2022-22754)

* Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
(CVE-2022-22764)

* Mozilla: Drag and dropping an image could have resulted in the dropped
object being an executable (CVE-2022-22756)

* Mozilla: Sandboxed iframes could have executed script if the parent
appended elements (CVE-2022-22759)

* Mozilla: Cross-Origin responses could be distinguished between script
and  non-script content-types (CVE-2022-22760)

* Mozilla: frame-ancestors Content Security Policy directive was not
enforced for framed extension pages (CVE-2022-22761)

* Mozilla: Script Execution during invalid object state (CVE-2022-22763)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
--

SL7
  x86_64
    thunderbird-91.6.0-1.el7_9.x86_64.rpm
    thunderbird-debuginfo-91.6.0-1.el7_9.x86_64.rpm

- Scientific Linux Development Team