Bug 1185633 - (CVE-2021-29951) VUL-0: CVE-2021-29951: MozillaFirefox, MozillaThunderbird: update to 88.0.1 and 78.10.1esr
(CVE-2021-29951)
VUL-0: CVE-2021-29951: MozillaFirefox, MozillaThunderbird: update to 88.0.1 a...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Martin Sirringhaus
Security Team bot
CVSSv3.1:SUSE:CVE-2021-29951:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-05 07:26 UTC by Martin Sirringhaus
Modified: 2022-04-01 10:39 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sirringhaus 2021-05-05 07:26:57 UTC
- Mozilla Firefox ESR 78.10.1
  MFSA 2021-18
  * CVE-2021-29951 (bmo#1690062)
    Mozilla Maintenance Service could have been started or
    stopped by domain users

- Mozilla Thunderbird 78.10.1
  MFSA 2021-19
  * CVE-2021-29951 (bmo#1690062)
    Thunderbird Maintenance Service could have been started or
    stopped by domain users


MFSA for 88.0.1 not yet released.
Comment 1 Andreas Stieger 2021-05-05 18:27:55 UTC
CVE-2021-29951 is a non-issue for GNU/Linux. So nothing for Leap / SLE / ESR.

However, from https://www.mozilla.org/en-US/security/advisories/mfsa2021-20/

  MFSA 2021-20 (bsc#1185633)
  * CVE-2021-29952 (bmo#1704227)
    Race condition in Web Render Components

Firefox 88.0.1 is in https://build.opensuse.org/request/show/890804

CVE-2021-29953 only affects Android.
Comment 3 Alexander Bergmann 2021-05-07 09:27:47 UTC
Firefox Extended Support Release 78.10.1 ESR

https://www.mozilla.org/en-US/security/advisories/mfsa2021-18/

CVE-2021-29951:
Mozilla Maintenance Service could have been started or stopped by domain users

Reporter: James Forshaw
Impact:   moderate

Description

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service.

Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.
Comment 4 Gianluca Gabrielli 2021-05-18 12:39:59 UTC
Missing submissions:

 - SUSE:SLE-15-SP2:Update/MozillaThunderbird       78.10.0
 - SUSE:SLE-15:Update/MozillaThunderbird           78.7.1

Please update to version >= 78.10.1
Comment 9 Swamp Workflow Management 2021-06-04 10:27:33 UTC
SUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-78.10.2-8.27.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.10.2-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-06-08 16:35:07 UTC
SUSE-SU-2021:1884-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    MozillaFirefox-78.11.0-8.43.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-78.11.0-8.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-06-08 16:50:08 UTC
SUSE-SU-2021:14743-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-78.11.0-78.131.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-78.11.0-78.131.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-06-08 16:51:40 UTC
SUSE-SU-2021:1886-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-78.11.0-112.62.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-78.11.0-112.62.1
HPE Helion Openstack 8 (src):    MozillaFirefox-78.11.0-112.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-06-09 13:21:32 UTC
openSUSE-SU-2021:0858-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-78.11.0-lp152.2.58.1
Comment 14 Swamp Workflow Management 2021-06-09 16:44:23 UTC
SUSE-SU-2021:1919-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Manager Retail Branch Server 4.0 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Manager Proxy 4.0 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise Server for SAP 15 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise Server 15-LTSS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    MozillaFirefox-78.11.0-3.144.1
SUSE Enterprise Storage 6 (src):    MozillaFirefox-78.11.0-3.144.1
SUSE CaaS Platform 4.0 (src):    MozillaFirefox-78.11.0-3.144.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-07-09 15:44:38 UTC
openSUSE-SU-2021:1884-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1185633,1186696
CVE References: CVE-2021-29951,CVE-2021-29964,CVE-2021-29967
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaFirefox-78.11.0-8.43.1
Comment 16 Swamp Workflow Management 2021-07-10 22:19:47 UTC
openSUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-78.10.2-8.27.1
Comment 17 Marcus Meissner 2021-08-09 12:14:57 UTC
done