Updated firefox packages fix security vulnerabilities
Publication date: 12 Sep 2019Modification date: 12 Sep 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-9812 , CVE-2019-11740 , CVE-2019-11742 , CVE-2019-11743 , CVE-2019-11744 , CVE-2019-11746 , CVE-2019-11752 , CVE-2019-11753
Description
The updated packages fix several bugs and some security issues: Sandbox escape through Firefox Sync. (CVE-2019-9812) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9. (CVE-2019-11740) Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742) Cross-origin access to unload event attributes. (CVE-2019-11743) XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744) Use-after-free while manipulating video. (CVE-2019-11746) Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (CVE-2019-11753)
References
- https://bugs.mageia.org/show_bug.cgi?id=25359
- https://www.mozilla.org/en-US/firefox/60.9.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/
- https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
- https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11753
SRPMS
6/core
- firefox-60.9.0-1.mga6
- firefox-l10n-60.9.0-1.mga6
- rootcerts-20190820.00-1.mga6
- nspr-4.22-1.mga6
- nss-3.36.8-1.2.mga6