Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Mageia 7: 2020-0395 Moderate: Firefox Memory Corruption Attack

mageia
Calendar Grey October 24, 2020
Dist Mageia Esm H88
Patch note MGASA-2020-0395 for Firefox and NSS addresses vulnerabilities linked to memory safety, potentially enabling malicious activities.
Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in Firefox ESR 78.3

Summary

Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15683).
A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash (CVE-2020-15969).
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58 (CVE-2020-25648).

References

- https://bugs.mageia.org/show_bug.cgi?id=27460

- - https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/

- https://access.redhat.com/errata/RHSA-2020:4310

- https://www.cve.org/CVERecord?id=CVE-2020-15683

- https://www.cve.org/CVERecord?id=CVE-2020-15969

- https://www.cve.org/CVERecord?id=CVE-2020-25648

Topics%20covered

Topics Covered

security advisory memory corruption arbitrary code Firefox remote denial service NSS Mageia

Resolution

SRPMS

- 7/core/rootcerts-20201021.00-1.mga7

- 7/core/nss-3.58.0-1.mga7

- 7/core/firefox-78.4.0-1.mga7

- 7/core/firefox-l10n-78.4.0-1.mga7

Publication date: 24 Oct 2020
URL: https://advisories.mageia.org/MGASA-2020-0395.html
Type: security
CVE: CVE-2020-15683, CVE-2020-15969, CVE-2020-25648

Topics%20covered

Topics Covered

security advisory memory corruption arbitrary code Firefox remote denial service NSS Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here