Updated mozjs60 packages fix security vulnerability
Publication date: 05 Jan 2020Modification date: 05 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-11707 , CVE-2019-11708
Description
The updated packages fix security vulnerabilities:
A type confusion vulnerability can occur when manipulating JavaScript
objects due to issues in Array.pop. This can allow for an exploitable
crash. We are aware of targeted attacks in the wild abusing this flaw.
This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3,
and Thunderbird < 60.7.2. (CVE-2019-11707)
Insufficient vetting of parameters passed with the Prompt:Open IPC message
between child and parent processes can result in the non-sandboxed parent
process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer. This vulnerability affects Firefox
ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708)
The mozjs60 package has been updated to version 60.9.0, fixing these issues
and other bugs. The gjs package has been rebuilt against the updated mozjs60.
References
- https://bugs.mageia.org/show_bug.cgi?id=25910
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
SRPMS
7/core
- mozjs60-60.9.0-1.mga7
- gjs-1.56.2-1.1.mga7