Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Mageia Firefox Update 2020-0274: Critical Memory Safety Issues

mageia
Calendar Grey July 4, 2020
Dist Mageia Esm H88
The latest update for Firefox on Mageia as of July 2020 addresses severe vulnerabilities, including potential timing attacks and issues related to memory corruption. Ensure your security!
Updated nss and firefox packages fix security vulnerabilities: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak pri...

Summary

Updated nss and firefox packages fix security vulnerabilities:
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys (CVE-2020-12399).
Side channel vulnerabilities during RSA key generation in NSS (CVE-2020-12402).
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash due to a use-after-free (CVE-2020-12405).
Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash due to type confusion with NativeTypes. We presume that with enough effort that it could be exploited to run arbitrary code (CVE-2020-12406).
Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12410).
...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=26890

- https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/YDlWqMPNR9Y

- - https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/

- https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/

- https://lists.debian.org/debian-lts-announce/2020/06/msg00038.html

- https://www.cve.org/CVERecord?id=CVE-2020-12417

- https://www.cve.org/CVERecord?id=CVE-2020-12418

- https://www.cve.org/CVERecord?id=CVE-2020-12419

- https://www.cve.org/CVERecord?id=CVE-2020-12420

- https://www.cve.org/CVERecord?id=CVE-2020-12421

Topics%20covered

Topics Covered

security advisory firefox timing attack memory safety crash nss mageia

Resolution

SRPMS

- 7/core/nspr-4.26-1.mga7

- 7/core/rootcerts-20200612.00-1.mga7

- 7/core/nss-3.52.1-1.1.mga7

- 7/core/firefox-68.10.0-1.mga7

- 7/core/firefox-l10n-68.10.0-1.mga7

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 04 Jul 2020
URL: https://advisories.mageia.org/MGASA-2020-0274.html
Type: security
CVE: CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12421

Topics%20covered

Topics Covered

security advisory firefox timing attack memory safety crash nss mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here