ISHACK AI BOT

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11708) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11708 CVE - 2024-11708 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

Ubuntu: (Multiple Advisories) (CVE-2024-11694): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 01/10/2025 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 USN-7134-1 USN-7193-1

Ubuntu: USN-7134-1 (CVE-2024-11704): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 02/06/2025 Description A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11704 CVE - 2024-11704 USN-7134-1

Amazon Linux AMI 2: CVE-2024-11694: Security patch for firefox (ALASFIREFOX-2024-033) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/21/2024 Added 12/20/2024 Modified 12/20/2024 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2024-11694 AL2/ALASFIREFOX-2024-033 CVE - 2024-11694

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11706) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11706 CVE - 2024-11706 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

MFSA2024-64 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.5 (CVE-2024-11692) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/29/2024 Description An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-firefox-esr-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11692 CVE - 2024-11692 http://www.mozilla.org/security/announce/2024/mfsa2024-64.html

Oracle Linux: CVE-2024-11695: ELSA-2024-10592:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 11/26/2024 Created 12/10/2024 Added 12/03/2024 Modified 01/07/2025 Description A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox &lt; 133, Firefox ESR &lt; 128.5, Thunderbird &lt; 133, and Thunderbird &lt; 128.5. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-11695 CVE - 2024-11695 ELSA-2024-10592 ELSA-2024-10702 ELSA-2024-10591 ELSA-2024-10752 ELSA-2024-10881

Oracle Linux: CVE-2024-11694: ELSA-2024-10592:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 11/26/2024 Created 12/10/2024 Added 12/03/2024 Modified 01/07/2025 Description Enhanced Tracking Protection&apos;s Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox &lt; 133, Firefox ESR &lt; 128.5, Firefox ESR &lt; 115.18, Thunderbird &lt; 133, and Thunderbird &lt; 128.5. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 ELSA-2024-10592 ELSA-2024-10702 ELSA-2024-10591 ELSA-2024-10752 ELSA-2024-10881

FreeBSD: VID-2263EA04-AC81-11EF-998C-2CF05DA270F3 (CVE-2024-11669): Gitlab -- vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 11/26/2024 Created 11/29/2024 Added 11/28/2024 Modified 01/28/2025 Description An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes. Solution(s) freebsd-upgrade-package-gitlab-ce freebsd-upgrade-package-gitlab-ee References CVE-2024-11669

MFSA2024-68 Thunderbird: Security Vulnerabilities fixed in Thunderbird 128.5 (CVE-2024-11698) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 02/14/2025 Description A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click menus, resulting in a disrupted browsing experience until the browser is restarted. *This bug only affects the application when running on macOS. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) mozilla-thunderbird-upgrade-128_5 References https://attackerkb.com/topics/cve-2024-11698 CVE - 2024-11698 http://www.mozilla.org/security/announce/2024/mfsa2024-68.html

Ubuntu: USN-7134-1 (CVE-2024-11696): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed.Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11696 CVE - 2024-11696 USN-7134-1

Ubuntu: USN-7134-1 (CVE-2024-11695): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11695 CVE - 2024-11695 USN-7134-1

Alma Linux: CVE-2024-11696: Important: thunderbird security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/07/2024 Added 12/06/2024 Modified 12/06/2024 Description The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed.Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-11696 CVE - 2024-11696 https://errata.almalinux.org/8/ALSA-2024-10591.html https://errata.almalinux.org/8/ALSA-2024-10752.html https://errata.almalinux.org/9/ALSA-2024-10592.html https://errata.almalinux.org/9/ALSA-2024-10702.html

Alma Linux: CVE-2024-52337: Moderate: tuned security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/19/2024 Description A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations. Solution(s) alma-upgrade-tuned alma-upgrade-tuned-gtk alma-upgrade-tuned-ppd alma-upgrade-tuned-profiles-atomic alma-upgrade-tuned-profiles-compat alma-upgrade-tuned-profiles-cpu-partitioning alma-upgrade-tuned-profiles-mssql alma-upgrade-tuned-profiles-oracle alma-upgrade-tuned-profiles-postgresql alma-upgrade-tuned-profiles-realtime alma-upgrade-tuned-profiles-spectrumscale alma-upgrade-tuned-utils alma-upgrade-tuned-utils-systemtap References https://attackerkb.com/topics/cve-2024-52337 CVE - 2024-52337 https://errata.almalinux.org/8/ALSA-2024-11161.html https://errata.almalinux.org/9/ALSA-2024-10384.html

Ubuntu: USN-7134-1 (CVE-2024-11708): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11708 CVE - 2024-11708 USN-7134-1

Ubuntu: USN-7134-1 (CVE-2024-11701): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11701 CVE - 2024-11701 USN-7134-1

Alma Linux: CVE-2024-11695: Important: thunderbird security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/07/2024 Added 12/06/2024 Modified 12/06/2024 Description A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-11695 CVE - 2024-11695 https://errata.almalinux.org/8/ALSA-2024-10591.html https://errata.almalinux.org/8/ALSA-2024-10752.html https://errata.almalinux.org/9/ALSA-2024-10592.html https://errata.almalinux.org/9/ALSA-2024-10702.html

Ubuntu: USN-7134-1 (CVE-2024-11706): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. This vulnerability affects Firefox < 133 and Thunderbird < 133. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11706 CVE - 2024-11706 USN-7134-1

Ubuntu: USN-7134-1 (CVE-2024-11692): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 12/05/2024 Added 12/04/2024 Modified 12/04/2024 Description An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-11692 CVE - 2024-11692 USN-7134-1

Red Hat: CVE-2024-11692: firefox: thunderbird: Select list elements could be shown over another site (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 11/26/2024 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2024-11692 RHSA-2024:10591 RHSA-2024:10592 RHSA-2024:10667 RHSA-2024:10702 RHSA-2024:10710 RHSA-2024:10742 RHSA-2024:10745 RHSA-2024:10748 RHSA-2024:10752 RHSA-2024:10848 View more

Red Hat OpenShift: CVE-2024-8676: cri-o: Checkpoint restore can be triggered from different namespaces Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:N) Published 11/26/2024 Created 12/17/2024 Added 12/16/2024 Modified 01/30/2025 Description A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore. Solution(s) linuxrpm-upgrade-cri-o References https://attackerkb.com/topics/cve-2024-8676 CVE - 2024-8676 RHSA-2025:0648

MFSA2024-63 Firefox: Security Vulnerabilities fixed in Firefox 133 (CVE-2024-11694) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/26/2024 Created 11/28/2024 Added 11/27/2024 Modified 12/16/2024 Description Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. Solution(s) mozilla-firefox-upgrade-133_0 References https://attackerkb.com/topics/cve-2024-11694 CVE - 2024-11694 http://www.mozilla.org/security/announce/2024/mfsa2024-63.html

FreeBSD: VID-2263EA04-AC81-11EF-998C-2CF05DA270F3 (CVE-2024-8177): Gitlab -- vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/26/2024 Created 11/29/2024 Added 11/28/2024 Modified 01/28/2025 Description An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry. Solution(s) freebsd-upgrade-package-gitlab-ce freebsd-upgrade-package-gitlab-ee References CVE-2024-8177

FreeBSD: VID-2263EA04-AC81-11EF-998C-2CF05DA270F3 (CVE-2024-8114): Gitlab -- vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 11/26/2024 Created 11/29/2024 Added 11/28/2024 Modified 01/28/2025 Description An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges. Solution(s) freebsd-upgrade-package-gitlab-ce freebsd-upgrade-package-gitlab-ee References CVE-2024-8114

FreeBSD: VID-2263EA04-AC81-11EF-998C-2CF05DA270F3 (CVE-2024-8237): Gitlab -- vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/26/2024 Created 11/29/2024 Added 11/28/2024 Modified 01/28/2025 Description A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file. Solution(s) freebsd-upgrade-package-gitlab-ce freebsd-upgrade-package-gitlab-ee References CVE-2024-8237