Bug 1184960 - (CVE-2021-23994) VUL-0: MozillaFirefox / MozillaThunderbird: update to 88 and 78.10.0esr
(CVE-2021-23994)
VUL-0: MozillaFirefox / MozillaThunderbird: update to 88 and 78.10.0esr
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/282236/
CVSSv3.1:SUSE:CVE-2021-23961:7.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-19 13:13 UTC by Martin Sirringhaus
Modified: 2022-04-01 10:39 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sirringhaus 2021-04-19 13:13:54 UTC
- Mozilla Thunderbird 78.10
  MFSA 2021-14
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed
  * CVE-2021-29948 (bmo#1692899)
    Race condition when reading from disk while verifying
    signatures

- Mozilla Firefox ESR 78.10
  MFSA 2021-15
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed

- Mozilla Firefox 88
  MFSA 2021-16
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23996 (bmo#1701834)
    Content rendered outside of webpage viewport
  * CVE-2021-23997 (bmo#1701942)
    Use-after-free when freeing fonts from cache
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24000 (bmo#1694698)
    requestPointerLock() could be applied to a tab different from
    the visible tab
  * CVE-2021-24001 (bmo#1694727)
    Testing code could have enabled session history manipulations
    by a compromised content process
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29944 (bmo#1697604)
    HTML injection vulnerability in Firefox for Android's Reader
    View
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed
  * CVE-2021-29947 (bmo#1651449, bmo#1674142, bmo#1693476,
    bmo#1696886, bmo#1700091)
    Memory safety bugs fixed in Firefox 88
Comment 1 OBSbugzilla Bot 2021-04-20 08:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1184960) was mentioned in
https://build.opensuse.org/request/show/886906 Factory / MozillaThunderbird
Comment 4 Swamp Workflow Management 2021-04-23 10:15:54 UTC
SUSE-SU-2021:1307-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    MozillaFirefox-78.10.0-8.38.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.10.0-8.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-04-26 19:15:32 UTC
openSUSE-SU-2021:0621-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.10.0-lp152.2.55.1
Comment 6 Swamp Workflow Management 2021-04-27 13:16:15 UTC
SUSE-SU-2021:1325-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (src):    MozillaFirefox-78.10.0-112.57.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.10.0-112.57.2
HPE Helion Openstack 8 (src):    MozillaFirefox-78.10.0-112.57.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-04-28 19:17:33 UTC
SUSE-SU-2021:14708-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.10.0-78.126.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.10.0-78.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-04-29 13:17:04 UTC
SUSE-SU-2021:1432-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946,CVE-2021-29948
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-78.10.0-8.23.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.10.0-8.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-04-29 13:21:52 UTC
SUSE-SU-2021:1433-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Manager Retail Branch Server 4.0 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Manager Proxy 4.0 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise Server for SAP 15 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise Server 15-LTSS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    MozillaFirefox-78.10.0-3.139.1
SUSE Enterprise Storage 6 (src):    MozillaFirefox-78.10.0-3.139.1
SUSE CaaS Platform 4.0 (src):    MozillaFirefox-78.10.0-3.139.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-05-01 10:15:30 UTC
openSUSE-SU-2021:0644-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1184960
CVE References: CVE-2021-23961,CVE-2021-23994,CVE-2021-23995,CVE-2021-23998,CVE-2021-23999,CVE-2021-24002,CVE-2021-29945,CVE-2021-29946,CVE-2021-29948
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-78.10.0-lp152.2.41.1
Comment 11 Marcus Meissner 2021-08-09 12:15:04 UTC
done