Bug 1178824 - (CVE-2020-26951) VUL-0: MozillaFirefox: update to 78.5.0 ESR / 83.0 (MFSA 2020-50, MFSA 2020-51)
(CVE-2020-26951)
VUL-0: MozillaFirefox: update to 78.5.0 ESR / 83.0 (MFSA 2020-50, MFSA 2020-51)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Robertson
Security Team bot
https://smash.suse.de/issue/271744/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-16 08:24 UTC by Wolfgang Frisch
Modified: 2022-09-06 16:44 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-11-16 08:24:15 UTC
https://archive.mozilla.org/pub/firefox/releases/78.5.0esr/

Release notes pending.
Comment 1 Wolfgang Frisch 2020-11-17 13:53:36 UTC
Mozilla Foundation Security Advisory 2020-51
Security Vulnerabilities fixed in Firefox ESR 78.5
https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/

CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
CVE-2020-26956: XSS through paste (manual and clipboard API)
CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
CVE-2020-26959: Use-after-free in WebRequestService
CVE-2020-26960: Potential use-after-free in uses of nsTArray
CVE-2020-15999: Heap buffer overflow in freetype
CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
CVE-2020-26965: Software keyboards may have remembered typed passwords
CVE-2020-26966: Single-word search queries were also broadcast to local network
CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
Comment 2 Wolfgang Frisch 2020-11-17 13:54:05 UTC
Mozilla Foundation Security Advisory 2020-50
Security Vulnerabilities fixed in Firefox 83
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/

CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
CVE-2020-26952: Out of memory handling of JITed, inlined functions could lead to a memory corruption
CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
CVE-2020-26954: Local spoofing of web manifests for arbitrary pages in Firefox for Android
CVE-2020-26955: Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android
CVE-2020-26956: XSS through paste (manual and clipboard API)
CVE-2020-26957: OneCRL was not working in Firefox for Android
CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
CVE-2020-26959: Use-after-free in WebRequestService
CVE-2020-26960: Potential use-after-free in uses of nsTArray
CVE-2020-15999: Heap buffer overflow in freetype
CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
CVE-2020-26962: Cross-origin iframes supported login autofill
CVE-2020-26963: History and Location interfaces could have been used to hang the browser
CVE-2020-26964: Firefox for Android's Remote Debugging via USB could have been abused by untrusted apps on older versions of Android
CVE-2020-26965: Software keyboards may have remembered typed passwords
CVE-2020-26966: Single-word search queries were also broadcast to local network
CVE-2020-26967: Mutation Observers could break or confuse Firefox Screenshots feature
CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
CVE-2020-26969: Memory safety bugs fixed in Firefox 83
Comment 3 Wolfgang Frisch 2020-11-17 13:54:14 UTC
https://archive.mozilla.org/pub/firefox/releases/83.0/
Comment 7 Swamp Workflow Management 2020-11-19 14:22:10 UTC
SUSE-SU-2020:3383-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-78.5.0-3.119.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 OBSbugzilla Bot 2020-11-20 09:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1178824) was mentioned in
https://build.opensuse.org/request/show/849574 Factory / MozillaFirefox
Comment 9 Swamp Workflow Management 2020-11-20 14:20:40 UTC
SUSE-SU-2020:3458-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.5.0-8.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-11-20 14:23:47 UTC
SUSE-SU-2020:14548-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.5.0-78.105.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.5.0-78.105.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-11-25 23:22:20 UTC
openSUSE-SU-2020:2020-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.5.0-lp152.2.30.1
Comment 12 Swamp Workflow Management 2020-11-26 17:42:40 UTC
openSUSE-SU-2020:2031-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-78.5.0-lp151.2.79.1
Comment 13 Swamp Workflow Management 2020-11-27 14:20:45 UTC
SUSE-SU-2020:3548-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.5.0-112.36.1
SUSE Enterprise Storage 5 (src):    MozillaFirefox-78.5.0-112.36.1
HPE Helion Openstack 8 (src):    MozillaFirefox-78.5.0-112.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Wolfgang Frisch 2020-12-09 17:16:57 UTC
Released.
Comment 15 Swamp Workflow Management 2020-12-22 17:21:04 UTC
openSUSE-SU-2020:2315-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1178824
CVE References: CVE-2020-15999,CVE-2020-16012,CVE-2020-26951,CVE-2020-26953,CVE-2020-26956,CVE-2020-26958,CVE-2020-26959,CVE-2020-26960,CVE-2020-26961,CVE-2020-26965,CVE-2020-26966,CVE-2020-26968
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.5.0-lp152.2.33.1