Linux Security
    Linux Security
    Linux Security

    Mageia 2020-0395: nss and firefox security update

    Date 24 Oct 2020
    116
    Posted By LinuxSecurity Advisories
    Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15683).
    MGASA-2020-0395 - Updated nss and firefox packages fix security vulnerabilities
    
    Publication date: 24 Oct 2020
    URL: https://advisories.mageia.org/MGASA-2020-0395.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2020-15683,
         CVE-2020-15969,
         CVE-2020-25648
    
    Mozilla developers and community members Jason Kratzer, Simon Giesecke,
    Philipp, and Christian Holler reported memory safety bugs present in Firefox
    ESR 78.3. Some of these bugs showed evidence of memory corruption and we
    presume that with enough effort some of these could have been exploited to
    run arbitrary code (CVE-2020-15683).
    
    A use-after-free bug in the usersctp library was reported upstream. We assume
    this could have led to memory corruption and a potentially exploitable crash
    (CVE-2020-15969).
    
    A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in
    TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages,
    causing a denial of service for servers compiled with the NSS library. The
    highest threat from this vulnerability is to system availability. This flaw
    affects NSS versions before 3.58 (CVE-2020-25648).
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=27460
    - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
    - https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/
    - https://access.redhat.com/errata/RHSA-2020:4310
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15683
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25648
    
    SRPMS:
    - 7/core/rootcerts-20201021.00-1.mga7
    - 7/core/nss-3.58.0-1.mga7
    - 7/core/firefox-78.4.0-1.mga7
    - 7/core/firefox-l10n-78.4.0-1.mga7
    

    Advisories

    LinuxSecurity Poll

    I agree with Linus Torvalds - Apple's new M1-powered laptops should run on Linux.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/45-i-agree-with-linus-torvalds-apple-s-new-m1-powered-laptops-should-run-on-linux?task=poll.vote&format=json
    45
    radio
    [{"id":"158","title":"True","votes":"18","type":"x","order":"1","pct":3.5,"resources":[]},{"id":"159","title":"False","votes":"496","type":"x","order":"2","pct":96.5,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.