Mageia 2020-0009: mozjs60 security update

    Date05 Jan 2020
    92
    Posted ByLinuxSecurity Advisories
    The updated packages fix security vulnerabilities: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
    MGASA-2020-0009 - Updated mozjs60 packages fix security vulnerability
    
    Publication date: 05 Jan 2020
    URL: https://advisories.mageia.org/MGASA-2020-0009.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2019-11707,
         CVE-2019-11708
    
    The updated packages fix security vulnerabilities:
    
    A type confusion vulnerability can occur when manipulating JavaScript
    objects due to issues in Array.pop. This can allow for an exploitable
    crash. We are aware of targeted attacks in the wild abusing this flaw.
    This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3,
    and Thunderbird < 60.7.2. (CVE-2019-11707)
    
    Insufficient vetting of parameters passed with the Prompt:Open IPC message
    between child and parent processes can result in the non-sandboxed parent
    process opening web content chosen by a compromised child process. When
    combined with additional vulnerabilities this could result in executing
    arbitrary code on the user's computer. This vulnerability affects Firefox
    ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708)
    
    The mozjs60 package has been updated to version 60.9.0, fixing these issues
    and other bugs. The gjs package has been rebuilt against the updated mozjs60.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=25910
    - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/
    - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
    
    SRPMS:
    - 7/core/mozjs60-60.9.0-1.mga7
    - 7/core/gjs-1.56.2-1.1.mga7
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"31","type":"x","order":"1","pct":91.18,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"2","type":"x","order":"2","pct":5.88,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"1","type":"x","order":"3","pct":2.94,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.