Debian DLA-3196-1:thunderbird - LTS 安全更新

critical Nessus 插件 ID 167913

语言:

简介

远程 Debian 主机上缺少一个或多个与安全性相关的更新。

描述

远程 Debian 10 主机上安装的程序包受到 dla-3196 公告中提及的多个漏洞影响。

 - 服务工作线程不应推断关于不透明跨源响应的信息;但是,若跨源媒体的计时信息与 Range 请求相结合,可能允许其确定媒体文件是否存在或确定其长度。(CVE-2022-45403)

 - 通过一系列弹出窗口和 <code>window.print()</code> 调用,攻击者可造成窗口在没有用户看到通知提示的情况下全屏显示,从而可能导致用户混淆或欺骗攻击。(CVE-2022-45404)

 - 在与创建不同的线程上释放任意 <code>nsIInputStream</code> 会导致释放后使用和潜在的可利用崩溃。(CVE-2022-45405)

 - 如果创建 JavaScript 全局时发生内存不足的情况,则 JavaScript 领域可能会被删除,而对它的引用仍然存在于 BaseShape 中。这可能造成释放后使用,从而导致可能被利用的崩溃问题。(CVE-2022-45406)

 - 通过一系列重复使用 windowName 的弹出窗口,攻击者可造成窗口在没有用户看到通知提示的情况下全屏显示,从而可能导致用户混淆或欺骗攻击。
 (CVE-2022-45408)

 - 垃圾回收器可能已在多个状态和区域中止,并且

解决方案

升级 thunderbird 程序包。

对于 Debian 10 buster,已在版本 1 中修复这些问题

另见

https://security-tracker.debian.org/tracker/source-package/thunderbird

https://packages.debian.org/source/buster/thunderbird

https://security-tracker.debian.org/tracker/CVE-2022-45403

https://security-tracker.debian.org/tracker/CVE-2022-45404

https://security-tracker.debian.org/tracker/CVE-2022-45405

https://security-tracker.debian.org/tracker/CVE-2022-45406

https://security-tracker.debian.org/tracker/CVE-2022-45408

https://security-tracker.debian.org/tracker/CVE-2022-45409

https://security-tracker.debian.org/tracker/CVE-2022-45410

https://security-tracker.debian.org/tracker/CVE-2022-45411

https://security-tracker.debian.org/tracker/CVE-2022-45412

https://security-tracker.debian.org/tracker/CVE-2022-45416

https://security-tracker.debian.org/tracker/CVE-2022-45418

https://security-tracker.debian.org/tracker/CVE-2022-45420

https://security-tracker.debian.org/tracker/CVE-2022-45421

https://www.debian.org/lts/security/2022/dla-3196

插件详情

严重性: Critical

ID: 167913

文件名: debian_DLA-3196.nasl

版本: 1.5

类型: local

代理: unix

发布时间: 2022/11/18

最近更新时间: 2023/1/5

支持的传感器: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment

风险信息

VPR

风险因素: Medium

分数: 6.7

CVSS v2

风险因素: Critical

基本分数: 10

时间分数: 7.4

矢量: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

时间矢量: CVSS2#E:U/RL:OF/RC:C

CVSS 分数来源: CVE-2022-45421

CVSS v3

风险因素: Critical

基本分数: 9.8

时间分数: 8.5

矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

时间矢量: CVSS:3.0/E:U/RL:O/RC:C

CVSS 分数来源: CVE-2022-45406

漏洞信息

CPE: cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:calendar-google-provider:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-all:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ar:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ast:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-be:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-bg:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-br:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ca:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-cs:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-da:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-de:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-dsb:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-el:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-en-gb:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-es-ar:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-es-es:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-et:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-eu:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-fi:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-fr:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-fy-nl:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ga-ie:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-gd:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-gl:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-he:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-hr:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-hsb:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-hu:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-hy-am:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-id:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-is:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-it:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ja:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-kab:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ko:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-lt:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-nb-no:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-nl:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-nn-no:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-pa-in:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-pl:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-pt-br:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-pt-pt:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-rm:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ro:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ru:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-sk:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-sl:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-sq:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-sr:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-sv-se:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-tr:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-uk:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-vi:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-zh-cn:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-zh-tw:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-cak:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-cy:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ka:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-kk:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-ms:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-uz:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-af:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-en-ca:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-lv:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-th:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:thunderbird-l10n-es-mx:*:*:*:*:*:*:*

必需的 KB 项: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

易利用性: No known exploits are available

补丁发布日期: 2022/11/17

漏洞发布日期: 2022/11/15

参考资料信息

CVE: CVE-2022-45405, CVE-2022-45408, CVE-2022-45406, CVE-2022-45421, CVE-2022-45409, CVE-2022-45404, CVE-2022-45403, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420

IAVA: 2022-A-0492-S