SUSE-SU-2020:14359-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:14359-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2020:14359-1
- Related
- Published
- 2020-05-08T14:06:56Z
- Modified
- 2020-05-08T14:06:56Z
- Summary
- Security update for MozillaFirefox
- Details
-
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 68.8.0 ESR MFSA 2020-17 (bsc#1171186)
- CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown
- CVE-2020-12388 (bmo#1618911) Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389 (bmo#1554110) Sandbox escape with improperly separated process types
- CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation
- CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
Since firefox-gcc8 now has disabled autoreqprov for firefox-libstdc++6 and firefox-libgcc_s1, those packages don't provide some capabilities, we have to disable AutoReqProv in MozillaFirefox too so they're not added as automatic requirements. (bsc#1162828)
- References
-
- https://www.suse.com/support/update/announcement/2020/suse-su-202014359-1/
- https://bugzilla.suse.com/1162828
- https://bugzilla.suse.com/1171186
- https://www.suse.com/security/cve/CVE-2020-12387
- https://www.suse.com/security/cve/CVE-2020-12388
- https://www.suse.com/security/cve/CVE-2020-12389
- https://www.suse.com/security/cve/CVE-2020-12392
- https://www.suse.com/security/cve/CVE-2020-12393
- https://www.suse.com/security/cve/CVE-2020-12395
- https://www.suse.com/security/cve/CVE-2020-6831