Debian DLA-3674-1:thunderbird - LTS 安全更新
high Nessus 插件 ID 186485
语言:
简介
远程 Debian 主机上缺少一个或多个与安全性相关的更新。描述
远程 Debian 10 主机上安装的程序包受到 dla-3674 公告中提及的多个漏洞影响。- 在某些系统上,根据图形设置和驱动程序,可能会存在强制越界读取以及内存数据被泄漏到在画布元素上创建的图像中。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6204)
- 可能会导致 MessagePort 在释放后被使用,这可能会导致可利用的崩溃。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6205)
- 退出全屏时的黑色淡出动画大约是权限提示上的防点击劫持延迟的长度。利用这一事实,攻击者可以诱使用户单击权限授予按钮即将出现的位置来让用户感到意外。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6206)
- 所有权管理不善导致 ReadableByteStreams 中存在释放后使用漏洞。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6207)
- 使用 X11 时,页面使用 Selection API 选择的文本被错误地复制到主要选择中,这是与剪贴板不同的临时存储。*此错误仅影响 X11 版本的 Firefox。其他系统不受影响。*该漏洞影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6208)
- 以三个斜线开头的相对 URL 被错误地解析,并且路径中的 path-traversal /../ 部分可用于覆盖指定主机。这可能会导致网站出现安全问题。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。
(CVE-2023-6209)
- 在 Firefox 119、Firefox ESR 115.4 和 Thunderbird 115.4 中修复了内存安全缺陷。其中某些错误展示出内存损坏迹象,我们推测如果攻击者进行足够的尝试,则可以利用此漏洞运行任意代码。此漏洞会影响 Firefox < 120、Firefox ESR < 115.5.0 和 Thunderbird < 115.5。(CVE-2023-6212)
请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。
解决方案
升级 thunderbird 程序包。对于 Debian 10 buster,已在版本 1 中修复这些问题
另见
https://security-tracker.debian.org/tracker/source-package/thunderbird
https://www.debian.org/lts/security/2023/dla-3674
https://security-tracker.debian.org/tracker/CVE-2023-6204
https://security-tracker.debian.org/tracker/CVE-2023-6205
https://security-tracker.debian.org/tracker/CVE-2023-6206
https://security-tracker.debian.org/tracker/CVE-2023-6207
https://security-tracker.debian.org/tracker/CVE-2023-6208
https://security-tracker.debian.org/tracker/CVE-2023-6209
插件详情
严重性: High
ID: 186485
文件名: debian_DLA-3674.nasl
版本: 1.1
类型: local
代理: unix
发布时间: 2023/11/30
最近更新时间: 2023/12/22
支持的传感器: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
风险信息
VPR
风险因素: Medium
分数: 6.7
CVSS v2
风险因素: Critical
基本分数: 10
时间分数: 7.4
矢量: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 分数来源: CVE-2023-6212
CVSS v3
风险因素: High
基本分数: 8.8
时间分数: 7.7
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:U/RL:O/RC:C
漏洞信息
CPE: p-cpe:/a:debian:debian_linux:thunderbird-l10n-el, p-cpe:/a:debian:debian_linux:thunderbird-l10n-he, p-cpe:/a:debian:debian_linux:thunderbird-l10n-id, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ro, p-cpe:/a:debian:debian_linux:thunderbird-l10n-all, p-cpe:/a:debian:debian_linux:thunderbird-l10n-kab, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nn-no, p-cpe:/a:debian:debian_linux:thunderbird-l10n-tr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-bg, p-cpe:/a:debian:debian_linux:thunderbird-l10n-dsb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-gd, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cs, p-cpe:/a:debian:debian_linux:thunderbird-l10n-es-mx, p-cpe:/a:debian:debian_linux:thunderbird-l10n-et, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fy-nl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ja, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sv-se, p-cpe:/a:debian:debian_linux:thunderbird-l10n-af, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cak, p-cpe:/a:debian:debian_linux:thunderbird-l10n-da, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fi, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hu, p-cpe:/a:debian:debian_linux:thunderbird-l10n-kk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-rm, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:thunderbird-l10n-fr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-nb-no, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-es-es, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hsb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-is, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pt-br, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ca, p-cpe:/a:debian:debian_linux:thunderbird-l10n-cy, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ru, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ar, p-cpe:/a:debian:debian_linux:thunderbird-l10n-en-ca, p-cpe:/a:debian:debian_linux:thunderbird-l10n-en-gb, p-cpe:/a:debian:debian_linux:thunderbird-l10n-lv, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-uz, p-cpe:/a:debian:debian_linux:thunderbird-l10n-be, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ga-ie, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hr, p-cpe:/a:debian:debian_linux:thunderbird-l10n-lt, p-cpe:/a:debian:debian_linux:thunderbird-l10n-br, p-cpe:/a:debian:debian_linux:thunderbird-l10n-uk, p-cpe:/a:debian:debian_linux:thunderbird-l10n-vi, p-cpe:/a:debian:debian_linux:thunderbird-l10n-de, p-cpe:/a:debian:debian_linux:thunderbird-l10n-gl, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ko, p-cpe:/a:debian:debian_linux:thunderbird-l10n-zh-cn, p-cpe:/a:debian:debian_linux:thunderbird, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ast, p-cpe:/a:debian:debian_linux:thunderbird-l10n-es-ar, p-cpe:/a:debian:debian_linux:thunderbird-l10n-th, p-cpe:/a:debian:debian_linux:thunderbird-l10n-zh-tw, p-cpe:/a:debian:debian_linux:thunderbird-l10n-it, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ka, p-cpe:/a:debian:debian_linux:thunderbird-l10n-ms, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pt-pt, p-cpe:/a:debian:debian_linux:thunderbird-l10n-eu, p-cpe:/a:debian:debian_linux:thunderbird-l10n-hy-am, p-cpe:/a:debian:debian_linux:thunderbird-l10n-pa-in, p-cpe:/a:debian:debian_linux:thunderbird-l10n-sq
必需的 KB 项: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
易利用性: No known exploits are available
补丁发布日期: 2023/11/30
漏洞发布日期: 2023/11/21
参考资料信息
CVE: CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212
IAVA: 2023-A-0654-S