1 |
type: security |
2 |
subject: Updated firefox packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2019-20503 |
5 |
- CVE-2020-6805 |
6 |
- CVE-2020-6806 |
7 |
- CVE-2020-6807 |
8 |
- CVE-2020-6811 |
9 |
- CVE-2020-6812 |
10 |
- CVE-2020-6814 |
11 |
src: |
12 |
7: |
13 |
core: |
14 |
- firefox-68.6.0-1.mga7 |
15 |
- firefox-l10n-68.6.0-1.mga7 |
16 |
- nss-3.51.0-1.mga7 |
17 |
description: | |
18 |
Updated firefox packages fix security vulnerabilities: |
19 |
|
20 |
The inputs to sctp_load_addresses_from_init are verified by |
21 |
sctp_arethere_unrecognized_parameters; however, the two functions |
22 |
handled parameter bounds differently, resulting in out of bounds |
23 |
reads when parameters are partially outside a chunk (CVE-2019-20503). |
24 |
|
25 |
When removing data about an origin whose tab was recently closed, |
26 |
a use-after-free could occur in the Quota manager, resulting in a |
27 |
potentially exploitable crash (CVE-2020-6805). |
28 |
|
29 |
By carefully crafting promise resolutions, it was possible to cause an |
30 |
out-of-bounds read off the end of an array resized during script execution. |
31 |
This could have led to memory corruption and a potentially exploitable |
32 |
crash (CVE-2020-6806). |
33 |
|
34 |
When a device was changed while a stream was about to be destroyed, the |
35 |
stream-reinit task may have been executed after the stream was destroyed, |
36 |
causing a use-after-free and a potentially exploitable crash |
37 |
(CVE-2020-6807). |
38 |
|
39 |
The 'Copy as cURL' feature of Devtools' network tab did not properly escape |
40 |
the HTTP method of a request, which can be controlled by the website. If a |
41 |
user used the 'Copy as Curl' feature and pasted the command into a terminal, |
42 |
it could have resulted in command injection and arbitrary command execution |
43 |
(CVE-2020-6811). |
44 |
|
45 |
The first time AirPods are connected to an iPhone, they become named after |
46 |
the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera |
47 |
or microphone permission are able to enumerate device names, disclosing the |
48 |
user's name. To resolve this issue, Firefox added a special case that |
49 |
renames devices containing the substring 'AirPods' to simply 'AirPods' |
50 |
(CVE-2020-6812). |
51 |
|
52 |
Mozilla developers and community members Byron Campen, Jason Kratzer, and |
53 |
Christian Holler reported memory safety bugs present in Firefox 73 and |
54 |
Firefox ESR 68.5. Some of these bugs showed evidence of memory corruption |
55 |
and we presume that with enough effort some of these could have been |
56 |
exploited to run arbitrary code (CVE-2020-6814). |
57 |
|
58 |
nss has been updated to 3.51 fixing various bugs and crashes. |
59 |
references: |
60 |
- https://bugs.mageia.org/show_bug.cgi?id=26325 |
61 |
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/ |
62 |
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.51_release_notes |
63 |
ID: MGASA-2020-0141 |