Bug 1175686 - (CVE-2020-15663) VUL-0: MozillaFirefox,MozillaThunderbird: Update to 78.2.0 ESR /80 /68.12 (MFSA 2020-38, MFSA 2020-36, MFSA 2020-40)
(CVE-2020-15663)
VUL-0: MozillaFirefox,MozillaThunderbird: Update to 78.2.0 ESR /80 /68.12 (MF...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Martin Sirringhaus
Security Team bot
https://smash.suse.de/issue/265835/
CVSSv3.1:SUSE:CVE-2020-15664:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-24 11:40 UTC by Wolfgang Frisch
Modified: 2022-09-06 16:43 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-08-24 11:40:47 UTC
https://archive.mozilla.org/pub/firefox/releases/78.2.0esr/

Release notes pending
Comment 1 Alexandros Toptsoglou 2020-08-25 13:28:30 UTC
Firefox 78.2 ESR: 

CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15670: Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

Reference

https://www.mozilla.org/en-US/security/advisories/mfsa2020-38/

Firefox 80: 
   
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-12401: Timing-attack on ECDSA signature generation
CVE-2020-6829: P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signature generation
CVE-2020-12400: P-384 and P-521 vulnerable to a side channel attack on modular inversion
CVE-2020-15665: Address bar not reset when choosing to stay on a page after the beforeunload dialog is shown
CVE-2020-15666: MediaError message property leaks cross-origin response status
CVE-2020-15667: Heap overflow when processing an update file
CVE-2020-15668: Data Race when reading certificate information
CVE-2020-15670: Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2

Reference 

https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
Comment 2 OBSbugzilla Bot 2020-08-25 19:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1175686) was mentioned in
https://build.opensuse.org/request/show/829614 Factory / MozillaFirefox
Comment 3 OBSbugzilla Bot 2020-08-25 20:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1175686) was mentioned in
https://build.opensuse.org/request/show/829621 Factory / MozillaFirefox
Comment 6 Alexandros Toptsoglou 2020-08-27 07:01:29 UTC
MozillaThunderbird 68.12: 

CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15669: Use-After-Free when aborting an operation
Comment 7 Wolfgang Frisch 2020-08-31 12:47:35 UTC
https://ftp.mozilla.org/pub/thunderbird/releases/78.2.1/
https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/

There are no vulnerabilities fixed with this release.
Nevertheless, there are 2 security-related bug fixes:

Fixes:
- OpenPGP: Users with sub-identities were unable to encrypt or sign messages when switching identities
- OpenPGP message security window did not support dark mode
Comment 9 Swamp Workflow Management 2020-09-04 19:14:03 UTC
SUSE-SU-2020:2544-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.2.0-112.19.2
SUSE Enterprise Storage 5 (src):    MozillaFirefox-78.2.0-112.19.2
HPE Helion Openstack 8 (src):    MozillaFirefox-78.2.0-112.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-07 13:23:12 UTC
SUSE-SU-2020:2552-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-68.12.0-3.94.1
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.12.0-3.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-07 19:14:57 UTC
SUSE-SU-2020:2563-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-78.2.0-3.105.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-09-08 13:14:34 UTC
openSUSE-SU-2020:1384-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-78.2.0-lp151.2.65.1
Comment 13 Swamp Workflow Management 2020-09-08 13:15:59 UTC
openSUSE-SU-2020:1383-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.12.0-lp151.2.50.1
Comment 14 Swamp Workflow Management 2020-09-08 22:15:22 UTC
openSUSE-SU-2020:1392-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15669
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-68.12.0-lp152.2.10.1
Comment 15 Swamp Workflow Management 2020-09-08 22:16:25 UTC
openSUSE-SU-2020:1391-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173991,1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.2.0-lp152.2.18.1
Comment 16 Swamp Workflow Management 2020-09-14 22:15:36 UTC
SUSE-SU-2020:14489-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174284,1175686
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.2.0-78.90.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.2.0-78.90.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-09-25 13:24:56 UTC
SUSE-SU-2020:2749-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1167976,1173986,1173991,1174284,1174420,1175686,1176756
CVE References: CVE-2020-15663,CVE-2020-15664,CVE-2020-15670,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.3.0-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2020-10-07 06:53:54 UTC
was released