critical: sudo/thunderbird security update
critical
An update for sudo/thunderbird is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines.
thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
sudo: A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.(CVE-2019-14287)
sudo: bugfix
thunderbird: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.(CVE-2019-15903)
thunderbird: No description is available for this CVE.(CVE-2019-11757)
thunderbird: No description is available for this CVE.(CVE-2019-11758)
thunderbird: No description is available for this CVE.(CVE-2019-11762)
thunderbird: No description is available for this CVE.(CVE-2019-11763)
thunderbird: No description is available for this CVE.(CVE-2019-11764)
thunderbird: No description is available for this CVE.(CVE-2019-11759)
thunderbird: No description is available for this CVE.(CVE-2019-11760)
thunderbird: No description is available for this CVE.(CVE-2019-11761)
thunderbird: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.