firefox-68.8.0-1.0.1.AXS4

エラータID: AXSA:2020-100:11

Release date: 
Wednesday, May 27, 2020 - 10:24
Subject: 
firefox-68.8.0-1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 68.8.0 ESR.

Security Fix(es):

* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)

* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395)

* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)

* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-12387
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-12392
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-12395
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-6831
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2020-12387
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-12392
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-12395
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-6831
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-68.8.0-1.0.1.AXS4.src.rpm
    MD5: 3d0074aedd2775505498d436baa74131
    SHA-256: d72e36191fb494fab0f61b78eec584035e5202ee7a63cd43d946d073d0c0f394
    Size: 514.22 MB

Asianux Server 4 for x86
  1. firefox-68.8.0-1.0.1.AXS4.i686.rpm
    MD5: 2a26afe229129217d2ffc4bc726a4a01
    SHA-256: 77d02b53052ac77bf3e03ddea6804f6eef502c49c8601fd5407b56d92941c002
    Size: 118.45 MB

Asianux Server 4 for x86_64
  1. firefox-68.8.0-1.0.1.AXS4.x86_64.rpm
    MD5: 47340bb83a907528caac6e8bd7ae4575
    SHA-256: 14f3ffb48d5bbc39038550f3db76f3948153f8ae40a61c5da891aaad26eb8f4f
    Size: 118.54 MB
  2. firefox-68.8.0-1.0.1.AXS4.i686.rpm
    MD5: 2a26afe229129217d2ffc4bc726a4a01
    SHA-256: 77d02b53052ac77bf3e03ddea6804f6eef502c49c8601fd5407b56d92941c002
    Size: 118.45 MB