Vulmon
Amazon Linux 2 Security Advisory: ALAS-2024-2497
Advisory Release Date: 2024-03-13 20:26 Pacific
Advisory Updated Date: 2024-03-18 20:24 Pacific
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1. (CVE-2024-1936)
Affected Packages:
thunderbird
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update thunderbird to update your system.
aarch64:
thunderbird-115.8.1-1.amzn2.0.1.aarch64
thunderbird-debuginfo-115.8.1-1.amzn2.0.1.aarch64
src:
thunderbird-115.8.1-1.amzn2.0.1.src
x86_64:
thunderbird-115.8.1-1.amzn2.0.1.x86_64
thunderbird-debuginfo-115.8.1-1.amzn2.0.1.x86_64