Amazon Linux 2 Security Advisory: ALAS-2024-2638
Advisory Release Date: 2024-09-25 22:07 Pacific
Advisory Updated Date: 2024-10-02 14:30 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. (CVE-2024-7652)
A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. (CVE-2024-8381)
Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. (CVE-2024-8382)
The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. (CVE-2024-8384)
Affected Packages:
thunderbird
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update thunderbird to update your system.
aarch64:
thunderbird-115.15.0-1.amzn2.0.1.aarch64
thunderbird-debuginfo-115.15.0-1.amzn2.0.1.aarch64
src:
thunderbird-115.15.0-1.amzn2.0.1.src
x86_64:
thunderbird-115.15.0-1.amzn2.0.1.x86_64
thunderbird-debuginfo-115.15.0-1.amzn2.0.1.x86_64