Bug 1175686 (CVE-2020-15663)

Summary: VUL-0: MozillaFirefox,MozillaThunderbird: Update to 78.2.0 ESR /80 /68.12 (MFSA 2020-38, MFSA 2020-36, MFSA 2020-40)
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: atoptsoglou, cgrobertson
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/265835/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-15664:7.5:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2020-15670:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-08-24 11:40:47 UTC 
https://archive.mozilla.org/pub/firefox/releases/78.2.0esr/

Release notes pending
Comment 1 Alexandros Toptsoglou 2020-08-25 13:28:30 UTC 
Firefox 78.2 ESR: 

CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15670: Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

Reference

https://www.mozilla.org/en-US/security/advisories/mfsa2020-38/

Firefox 80: 
   
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-12401: Timing-attack on ECDSA signature generation
CVE-2020-6829: P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation
CVE-2020-12400: P-384 and P-521 vulnerable to a side channel attack on modular inversion
CVE-2020-15665: Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown
CVE-2020-15666: MediaError message property leaks cross-origin response status
CVE-2020-15667: Heap overflow when processing an update file
CVE-2020-15668: Data Race when reading certificate information
CVE-2020-15670: Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

Reference 

https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
Comment 2 OBSbugzilla Bot 2020-08-25 19:00:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1175686) was mentioned in
https://build.opensuse.org/request/show/829614 Factory / MozillaFirefox
Comment 3 OBSbugzilla Bot 2020-08-25 20:00:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1175686) was mentioned in
https://build.opensuse.org/request/show/829621 Factory / MozillaFirefox
Comment 6 Alexandros Toptsoglou 2020-08-27 07:01:29 UTC 
MozillaThunderbird 68.12: 

CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15669: Use-After-Free when aborting an operation
Comment 7 Wolfgang Frisch 2020-08-31 12:47:35 UTC 
https://ftp.mozilla.org/pub/thunderbird/releases/78.2.1/
https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/

There are no vulnerabilities fixed with this release.
Nevertheless, there are 2 security-related bug fixes:

Fixes:
- OpenPGP: Users with sub-identities were unable to encrypt or sign messages when switching identities
- OpenPGP message security window did not support dark mode
Comment 9 Swamp Workflow Management 2020-09-04 19:14:03 UTC 
SUSE-SU-2020:2544-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Enterprise Storage 5 (src):    MozillaFirefox-78.2.0-112.19.2
HPE Helion Openstack 8 (src):    MozillaFirefox-78.2.0-112.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-07 13:23:12 UTC 
SUSE-SU-2020:2552-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-68.12.0-3.94.1
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.12.0-3.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-07 19:14:57 UTC 
SUSE-SU-2020:2563-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-78.2.0-3.105.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-09-08 13:14:34 UTC 
openSUSE-SU-2020:1384-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-78.2.0-lp151.2.65.1
Comment 13 Swamp Workflow Management 2020-09-08 13:15:59 UTC 
openSUSE-SU-2020:1383-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.12.0-lp151.2.50.1
Comment 14 Swamp Workflow Management 2020-09-08 22:15:22 UTC 
openSUSE-SU-2020:1392-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-68.12.0-lp152.2.10.1
Comment 15 Swamp Workflow Management 2020-09-08 22:16:25 UTC 
openSUSE-SU-2020:1391-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.2.0-lp152.2.18.1
Comment 16 Swamp Workflow Management 2020-09-14 22:15:36 UTC 
SUSE-SU-2020:14489-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.2.0-78.90.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.2.0-78.90.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-09-25 13:24:56 UTC 
SUSE-SU-2020:2749-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1167976,1173986,1173991,1174284,1174420,1175686,1176756
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.3.0-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2020-10-07 06:53:54 UTC 
was released