Alpine: thunderbird: security update to 128.5.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 427464

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5,
Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11699)

- Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and
memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M
series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR <
128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
(CVE-2024-11691)

- An attacker could cause a select dropdown to be shown over another tab; this could have led to user
confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5,
Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11692)

- The executable file warning was not presented when downloading .library-ms files. *Note: This issue only
affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects
Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11693)

- Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and
DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have
exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox <
133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird <
115.18. (CVE-2024-11694)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-11691

https://security.alpinelinux.org/vuln/CVE-2024-11692

https://security.alpinelinux.org/vuln/CVE-2024-11693

https://security.alpinelinux.org/vuln/CVE-2024-11694

https://security.alpinelinux.org/vuln/CVE-2024-11695

https://security.alpinelinux.org/vuln/CVE-2024-11696

https://security.alpinelinux.org/vuln/CVE-2024-11697

https://security.alpinelinux.org/vuln/CVE-2024-11699

Plugin Details

Severity: Critical

ID: 427464

Version: Revision 1.2

Type: Local

Published: 5/16/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-11699

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-11693

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/25/2024

Reference Information

CVE: CVE-2024-11691, CVE-2024-11692, CVE-2024-11693, CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697, CVE-2024-11699

IAVA: 2024-A-0769-S