Bug 1166238 - VUL-0: MozillaFirefox,MozillaThunderbird: 68.6ESR / 74 release - MFSA 2020-08 / 2020-09 / MFSA 2020-10
VUL-0: MozillaFirefox,MozillaThunderbird: 68.6ESR / 74 release - MFSA 2020-08...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Charles Robertson
Security Team bot
https://smash.suse.de/issue/254501
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-10 12:33 UTC by Martin Sirringhaus
Modified: 2022-09-06 16:43 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sirringhaus 2020-03-10 12:33:12 UTC
Firefox 74: MFSA 2020-08
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections
    against state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6808 (bmo#1247968)
    URL Spoofing via javascript: URL
  * CVE-2020-6809 (bmo#1420296)
    Web Extensions with the all-urls permission could access
    local files
  * CVE-2020-6810 (bmo#1432856)
    Focusing a popup while in fullscreen could have obscured the
    fullscreen notification
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6813 (bmo#1605814)
    @import statements in CSS could bypass the Content Security
    Policy nonce feature
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
    bmo#1612636, bmo#1614339)
    Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6


Firefox 68.6 ESR: MFSA 2020-09
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections
    against state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
    bmo#1612636, bmo#1614339)
    Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
Comment 1 Wolfgang Frisch 2020-03-11 08:14:47 UTC
Also fixed in Firefox 74:
  * CVE-2020-6815: Memory and script safety bugs

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/
Comment 2 Swamp Workflow Management 2020-03-13 08:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (1166238) was mentioned in
https://build.opensuse.org/request/show/784530 Factory / MozillaFirefox
Comment 3 Martin Sirringhaus 2020-03-13 08:07:13 UTC
- Mozilla Thunderbird 68.6
  MFSA 2020-10 (bsc#1166238)
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections
    against state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
    bmo#1612636, bmo#1614339)
    Memory safety bugs fixed in Thunderbird 68.6
Comment 4 Alexandros Toptsoglou 2020-03-13 08:14:01 UTC
SUSE-SU-2020:14312-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1132665
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-68.6.0-78.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-03-13 17:40:19 UTC
SUSE-SU-2020:0686-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1132665,1166238
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (src):    MozillaFirefox-68.6.0-3.75.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    MozillaFirefox-68.6.0-3.75.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-68.6.0-3.75.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-68.6.0-3.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-03-14 23:11:23 UTC
openSUSE-SU-2020:0340-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1132665,1166238
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-68.6.0-lp151.2.33.1
Comment 8 Swamp Workflow Management 2020-03-19 14:22:15 UTC
SUSE-SU-2020:0717-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1132665,1166238
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-68.6.0-109.110.1
SUSE Enterprise Storage 5 (src):    MozillaFirefox-68.6.0-109.110.1
HPE Helion Openstack 8 (src):    MozillaFirefox-68.6.0-109.110.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-03-19 14:43:55 UTC
SUSE-SU-2020:0721-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.6.0-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-03-22 17:12:56 UTC
openSUSE-SU-2020:0366-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238
CVE References: CVE-2019-20503,CVE-2020-6805,CVE-2020-6806,CVE-2020-6807,CVE-2020-6811,CVE-2020-6812,CVE-2020-6814
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.6.0-lp151.2.28.1
Comment 11 Alexandros Toptsoglou 2020-03-23 13:10:36 UTC
Done
Comment 13 Swamp Workflow Management 2020-07-08 13:15:59 UTC
SUSE-SU-2020:14421-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238,1167231,1173576
CVE References: CVE-2020-12402,CVE-2020-12415,CVE-2020-12416,CVE-2020-12417,CVE-2020-12418,CVE-2020-12419,CVE-2020-12420,CVE-2020-12421,CVE-2020-12422,CVE-2020-12423,CVE-2020-12424,CVE-2020-12425,CVE-2020-12426
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.0.1-78.80.2, MozillaFirefox-branding-SLED-78-21.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-07-13 16:15:03 UTC
SUSE-SU-2020:1898-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238,1173576,1173613
CVE References: CVE-2020-12402,CVE-2020-12415,CVE-2020-12416,CVE-2020-12417,CVE-2020-12418,CVE-2020-12419,CVE-2020-12420,CVE-2020-12421,CVE-2020-12422,CVE-2020-12423,CVE-2020-12424,CVE-2020-12425,CVE-2020-12426
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.0.1-3.94.2, MozillaFirefox-branding-SLE-78-4.14.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-78.0.1-3.94.2, MozillaFirefox-branding-SLE-78-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-07-17 22:14:55 UTC
openSUSE-SU-2020:0983-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238,1173576,1173613
CVE References: CVE-2020-12402,CVE-2020-12415,CVE-2020-12416,CVE-2020-12417,CVE-2020-12418,CVE-2020-12419,CVE-2020-12420,CVE-2020-12421,CVE-2020-12422,CVE-2020-12423,CVE-2020-12424,CVE-2020-12425,CVE-2020-12426
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.0.1-lp152.2.5.1
Comment 17 Swamp Workflow Management 2020-07-20 13:13:01 UTC
openSUSE-SU-2020:1017-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1166238,1173576,1173613
CVE References: CVE-2020-12402,CVE-2020-12415,CVE-2020-12416,CVE-2020-12417,CVE-2020-12418,CVE-2020-12419,CVE-2020-12420,CVE-2020-12421,CVE-2020-12422,CVE-2020-12423,CVE-2020-12424,CVE-2020-12425,CVE-2020-12426
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-78.0.1-lp151.2.53.1