Luật Nguyễn

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 67 Firefox ESR versions prior to 60.7 Thunderbird versions prior to 60.7 **Description** The issue is related to a flaw in the source confirmation mechanism of the canvas object in Firefox, Firefox ESR, and the Thunderbird email client. This flaw can be exploited by a remote attacker to disclose protected information. Specifically, images from a different domain can be read using a canvas object under certain circumstances, potentially allowing an attacker to steal image data from another site in violation of the same-origin policy. **Recommendations** For Firefox versions prior to 67, update to version 67 or later to resolve the issue. For Firefox ESR versions prior to 60.7, update to version 60.7 or later to resolve the issue. For Thunderbird versions prior to 60.7, update to version 60.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 61.0.3163.79 Opera versions prior to 61.0.3163.79 **Description** A use after free in PDFium allowed a remote attacker to potentially exploit memory corruption via a crafted PDF file. This issue affects Google Chrome for Linux, Windows, and Mac, as well as Opera. **Recommendations** For Google Chrome versions prior to 61.0.3163.79, update to version 61.0.3163.79 or later to resolve the issue. For Opera versions prior to 61.0.3163.79, update to a version that includes the fix for this issue, as Opera is based on Chromium and should include similar security patches.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.51.0 **Description** The 'globbing' feature in curl has a flaw that leads to integer overflow and out-of-bounds read via user-controlled input. This issue allows a user to specify a numerical range that can cause curl to write outside the dedicated heap allocated buffer or read outside the given buffer. The flaw exists only in the curl tool, not in the libcurl library. **Recommendations** For versions prior to 7.51.0, update to version 7.51.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the 'globbing' feature in curl until a patch is available. Restrict access to the 'globbing' functionality to minimize the risk of exploitation. Avoid using numerical ranges with a leading minus character, such as `[1--1]`, and ensure that the ending letter is specified when using letter ranges, such as `[L-Z]`.