Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Mageia 8: 2023-0235 Critical: Firefox/NSS Use-After-Free Attack

mageia
Calendar Grey July 19, 2023
Dist Mageia Esm H88
Mageia 2023-0250 brings critical enhancements for chromium/openssl to tackle significant vulnerabilities reported on 15 Aug 2023.
An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS (CVE-2023-37201)

Summary

An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS (CVE-2023-37201).
Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free in SpiderMonkey (CVE-2023-37202).
A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks (CVE-2023-37207).
When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code (CVE-2023-37208).
Memory safety bugs present in Firefox ESR 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2023-37211).

References

- https://bugs.mageia.org/show_bug.cgi?id=32077

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/i-wiqdBIjMI

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/

- https://www.cve.org/CVERecord?id=CVE-2023-37201

- https://www.cve.org/CVERecord?id=CVE-2023-37202

- https://www.cve.org/CVERecord?id=CVE-2023-37207

- https://www.cve.org/CVERecord?id=CVE-2023-37208

- https://www.cve.org/CVERecord?id=CVE-2023-37211

Topics%20covered

Topics Covered

security advisory critical threat Firefox NSS use-after-free Mageia WebRTC

Resolution

SRPMS

- 8/core/firefox-102.13.0-1.mga8

- 8/core/firefox-l10n-102.13.0-1.mga8

- 8/core/nss-3.91.0-1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 19 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0235.html
Type: security
CVE: CVE-2023-37201, CVE-2023-37202, CVE-2023-37207, CVE-2023-37208, CVE-2023-37211

Topics%20covered

Topics Covered

security advisory critical threat Firefox NSS use-after-free Mageia WebRTC

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here