[CLSA-2026:1783075621] thunderbird: Fix of 2 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-03 10:47:19 UTC
Description:
- CVE-2026-12313: Linux sandbox broker SymlinkPath() accepted paths containing /.. components, allowing a compromised content process to traverse out of allowed directories; reject any path that contains /../, equals .., starts with ../, or ends with /.. (Bug 2040477) - CVE-2026-33636: bundled libpng 1.6.39 NEON palette expansion (arm/palette_neon_intrinsics.c) had an out-of-bounds read/write when row_width was not aligned to chunk size; backport upstream libpng commit aba9f18 that rewrites the loop guard and removes the unsafe post-loop adjustment (compiled but unreachable on x86_64 ESU builds)
Updated packages:
  • thunderbird-115.4.1-1.el9_2.alma.tuxcare.els16.x86_64.rpm
    sha:994989094ff478c536da108142e9dd9b55bd147715b2864ab65f2102789f234a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.