Bug 1182614 - (CVE-2021-23969) VUL-0: MozillaFirefox / MozillaThunderbird: update to 86 and 78.8.0esr
(CVE-2021-23969)
VUL-0: MozillaFirefox / MozillaThunderbird: update to 86 and 78.8.0esr
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Martin Sirringhaus
Security Team bot
CVSSv3.1:SUSE:CVE-2021-23968:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-23 13:33 UTC by Martin Sirringhaus
Modified: 2022-04-01 10:39 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sirringhaus 2021-02-23 13:33:12 UTC
- Mozilla Firefox 86
  MFSA 2021-07
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23970 (bmo#1681724)
    Multithreaded WASM triggered assertions validating separation
    of script domains
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23974 (bmo#1528997, bmo#1683627)
    noscript elements could have led to an HTML Sanitizer bypass
  * CVE-2021-23971 (bmo#1678545)
    A website's Referrer-Policy could have been be overridden,
    potentially resulting in the full URL being sent as a
    Referrer
  * CVE-2021-23976 (bmo#1684627)
    Local spoofing of web manifests for arbitrary pages in
    Firefox for Android
  * CVE-2021-23977 (bmo#1684761)
    Malicious application could read sensitive data from Firefox
    for Android's application directories
  * CVE-2021-23972 (bmo#1683536)
    HTTP Auth phishing warning was omitted when a redirect is
    cached
  * CVE-2021-23975 (bmo#1685145)
    about:memory’s Measure function caused an incorrect pointer
    operation
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
    bmo#786797)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
  * CVE-2021-23979 (bmo#1663222, bmo#1666607, bmo#1672120,
    bmo#1678463, bmo#1678927, bmo#1679560, bmo#1681297,
    bmo#1681684, bmo#1683490, bmo#1684377, bmo#1684902)
    Memory safety bugs fixed in Firefox 86


- Mozilla Firefox ESR 78.8
  MFSA 2021-08 (bsc#)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
    bmo#786797)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
Comment 3 Martin Sirringhaus 2021-02-24 07:34:39 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/

- Mozilla Thunderbird 78.8
  MFSA 2021-09
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
    bmo#786797)
    Memory safety bugs fixed in Thunderbird 78.8
Comment 4 OBSbugzilla Bot 2021-02-24 08:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1182614) was mentioned in
https://build.opensuse.org/request/show/874775 Factory / MozillaThunderbird
Comment 6 OBSbugzilla Bot 2021-02-24 13:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1182614) was mentioned in
https://build.opensuse.org/request/show/874847 Factory / MozillaFirefox
Comment 8 Swamp Workflow Management 2021-03-01 17:16:41 UTC
SUSE-SU-2021:0659-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    MozillaFirefox-78.8.0-8.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.8.0-8.32.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-03-01 20:17:44 UTC
SUSE-SU-2021:0667-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-78.8.0-112.51.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.8.0-112.51.1
HPE Helion Openstack 8 (src):    MozillaFirefox-78.8.0-112.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-03-01 20:25:37 UTC
SUSE-SU-2021:14657-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.8.0-78.120.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.8.0-78.120.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-03-01 20:28:00 UTC
SUSE-SU-2021:0661-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.8.0-8.15.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-03-02 14:18:43 UTC
SUSE-SU-2021:0676-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1181848,1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Manager Retail Branch Server 4.0 (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Manager Proxy 4.0 (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    MozillaFirefox-78.8.0-3.133.1
SUSE Enterprise Storage 6 (src):    MozillaFirefox-78.8.0-3.133.1
SUSE CaaS Platform 4.0 (src):    MozillaFirefox-78.8.0-3.133.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-03-03 05:16:57 UTC
openSUSE-SU-2021:0373-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.8.0-lp152.2.49.1
Comment 14 Swamp Workflow Management 2021-03-06 02:16:31 UTC
openSUSE-SU-2021:0387-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1182357,1182614
CVE References: CVE-2021-23968,CVE-2021-23969,CVE-2021-23973,CVE-2021-23978
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-78.8.0-lp152.2.35.1
Comment 16 Marcus Meissner 2021-08-09 12:15:31 UTC
done