rhba-2023:6004
Vulnerability from csaf_redhat
Published
2023-10-23 09:32
Modified
2025-03-23 07:34
Summary
Red Hat Bug Fix Advisory: Updated rhel9/thunderbird-flatpak container image

Notes

Topic
An updated rhel9/thunderbird-flatpak container image is now available in the Red Hat container registry.
Details
Mozilla Thunderbird is a standalone mail and newsgroup client. Flatpak is a system for running graphical applications as containers. Installing an application as a Flatpak rather than as an individual package allows it to be installed and updated independently of the host operating system. This updates the rhel9/thunderbird-flatpak image of Thunderbird in the Red Hat container registry.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An updated rhel9/thunderbird-flatpak container image is now available in the Red Hat container registry.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nFlatpak is a system for running graphical applications as containers. Installing an application as a Flatpak rather than as an individual package allows it to be installed and updated independently of the host operating system.\n\nThis updates the rhel9/thunderbird-flatpak image of Thunderbird in the Red Hat container registry.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHBA-2023:6004",
            url: "https://access.redhat.com/errata/RHBA-2023:6004",
         },
         {
            category: "external",
            summary: "https://catalog.redhat.com/software/containers/search",
            url: "https://catalog.redhat.com/software/containers/search",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_6004.json",
         },
      ],
      title: "Red Hat Bug Fix Advisory: Updated rhel9/thunderbird-flatpak container image",
      tracking: {
         current_release_date: "2025-03-23T07:34:06+00:00",
         generator: {
            date: "2025-03-23T07:34:06+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHBA-2023:6004",
         initial_release_date: "2023-10-23T09:32:38+00:00",
         revision_history: [
            {
               date: "2023-10-23T09:32:38+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-10-23T09:32:38+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-23T07:34:06+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux AppStream (v. 9)",
                        product: {
                           name: "Red Hat Enterprise Linux AppStream (v. 9)",
                           product_id: "AppStream-9.2.0.Z.MAIN.EUS",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:enterprise_linux:9::appstream",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Enterprise Linux",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
                        product: {
                           name: "rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
                           product_id: "rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
                           product_identification_helper: {
                              purl: "pkg:oci/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7?arch=amd64&repository_url=registry.redhat.io/rhel9/thunderbird-flatpak&tag=flatpak-9020020231006114109.1",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "amd64",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
               product_id: "AppStream-9.2.0.Z.MAIN.EUS:rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
            },
            product_reference: "rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
            relates_to_product_reference: "AppStream-9.2.0.Z.MAIN.EUS",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-4863",
         cwe: {
            id: "CWE-122",
            name: "Heap-based Buffer Overflow",
         },
         discovery_date: "2023-09-11T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2238431",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "libwebp: Heap buffer overflow in WebP Codec",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This security issue has been classified as having an Important security impact. Desktop users are at a high risk of exploitation of this flaw with very minimal interaction. It may compromise the confidentiality, integrity, or availability of resources.\n\nCustomers using this application, which does server-side image processing by linking to the libwebp library, are also potentially impacted by this flaw and are advised to update to the fixed versions of the package.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "AppStream-9.2.0.Z.MAIN.EUS:rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-4863",
            },
            {
               category: "external",
               summary: "RHBZ#2238431",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238431",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-4863",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-4863",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
            },
            {
               category: "external",
               summary: "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html",
               url: "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html",
            },
            {
               category: "external",
               summary: "https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/",
               url: "https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/",
            },
            {
               category: "external",
               summary: "https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/",
               url: "https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/",
            },
            {
               category: "external",
               summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
               url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
            },
         ],
         release_date: "2023-09-11T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-10-23T09:32:38+00:00",
               details: "To install and use Red Hat Enterprise Linux Flatpak content available in the the Red Hat Container Catalog, make sure that you have the latest version of the Flatpak client installed on your system:\n\nyum update flatpak\n\nAfter updating the Flatpak packages, add the Flatpak remote to your system:\n\nflatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo\n\nProvide the credentials for your Red Hat Enterprise Linux account:\n\npodman login registry.redhat.io\n\nPodman only saves credentials until the user logs out. To save your credentials permanently, run:\n\ncp $XDG_RUNTIME_DIR/containers/auth.json $HOME/.config/flatpak/oci-auth.json\n\nTo enable the RHEL Flatpak remote for a set of workstations within an organization, you should use a Registry Service Account. Credentials can be installed system-wide at /etc/flatpak/oci-auth.json.\n\nThen, you can install the Thunderbird Flatpak container image:\n\nflatpak install rhel org.thunderbird.Thunderbird\n\nFor more information about the image, search the <image_name> in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search.",
               product_ids: [
                  "AppStream-9.2.0.Z.MAIN.EUS:rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHBA-2023:6004",
            },
            {
               category: "workaround",
               details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
               product_ids: [
                  "AppStream-9.2.0.Z.MAIN.EUS:rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.6,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "AppStream-9.2.0.Z.MAIN.EUS:rhel9/thunderbird-flatpak@sha256:870084c57d8583ce25c8503df6b83df2553b72b463a7be67592f4661cdafd9e7_amd64",
               ],
            },
         ],
         threats: [
            {
               category: "exploit_status",
               date: "2023-09-13T00:00:00+00:00",
               details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
            },
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "libwebp: Heap buffer overflow in WebP Codec",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.