Wayne Mery

**Name of the Vulnerable Software and Affected Versions** Firefox version 150.0.1 Firefox ESR version 140.10.1 Firefox ESR version 115.35.1 **Description** Memory safety bugs exist that exhibit evidence of memory corruption, which could potentially be exploited to execute arbitrary code. **Recommendations** Update Firefox 150.0.1 to version 150.0.2. Update Firefox ESR 140.10.1 to version 140.10.2. Update Firefox ESR 115.35.1 to version 115.35.2.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 78.10.2 **Description** The issue arises when a MIME encoded email contains an OpenPGP inline signed or encrypted message part, along with an additional unprotected part. In such cases, Thunderbird fails to indicate that only parts of the message are protected. This is due to insufficient security measures implemented in the email client. An attacker could exploit this by sending a specially crafted email, potentially affecting data integrity. **Recommendations** For versions prior to 78.10.2, update to version 78.10.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.8.1 Description: The issue is related to errors in handling OpenPGP cryptographic signatures in the Thunderbird email client. Exploitation of this issue could allow a remote attacker to impact the confidentiality and integrity of protected information. Specifically, Thunderbird fails to protect a secret OpenPGP key before using it for decryption, signing, or key import tasks. If such a task fails, the secret key may remain in memory in its unprotected state. Recommendations: For versions prior to 78.8.1, update to version 78.8.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of OpenPGP keys in Thunderbird until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 60.5 **Description** A use-after-free issue can occur in Thunderbird when playing a sound notification. The memory containing the sound data is freed immediately, even though the sound is still being played asynchronously, which can lead to a potentially exploitable crash. **Recommendations** For versions prior to 60.5, update to version 60.5 or later to resolve the issue.