firefox-68.8.0-1.0.1.AXS4
エラータID: AXSA:2020-100:11
リリース日:
2020/05/27 Wednesday - 10:24
題名:
firefox-68.8.0-1.0.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- firefox には、Web Worker のシャットダウンコード実行時において競合状態があり、
潜在的に悪用可能なクラッシュを引き起こす、解放後使用の脆弱性があります。(CVE-2020-12387)
- filefox の Devtools ネットワークタブ内の Copy as cURL 機能には、HTTP POST の
リクエストデータに適切なエスケープ処理がないため、ユーザがこの機能を利用する際に、
ローカルファイルを漏洩する可能性のある脆弱性があります。(CVE-2020-12392)
- firefox には、メモリ破損の問題があり、これを利用して任意のコードの実行に悪用される
可能性のある脆弱性があります。(CVE-2020-12395)
- firefox には、パース時と webRTC の SCTP チャンクを有効にするときにバッファオーバーフローが
起きることで、メモリ破損や潜在的に悪用可能なクラッシュが引き起こる脆弱性があります。(CVE-2020-6831)
一部 CVE の翻訳文は JVN からの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-12387
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-12392
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-12395
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVE-2020-6831
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
追加情報:
N/A
ダウンロード:
SRPMS
- firefox-68.8.0-1.0.1.AXS4.src.rpm
MD5: 3d0074aedd2775505498d436baa74131
SHA-256: d72e36191fb494fab0f61b78eec584035e5202ee7a63cd43d946d073d0c0f394
Size: 514.22 MB
Asianux Server 4 for x86
- firefox-68.8.0-1.0.1.AXS4.i686.rpm
MD5: 2a26afe229129217d2ffc4bc726a4a01
SHA-256: 77d02b53052ac77bf3e03ddea6804f6eef502c49c8601fd5407b56d92941c002
Size: 118.45 MB
Asianux Server 4 for x86_64
- firefox-68.8.0-1.0.1.AXS4.x86_64.rpm
MD5: 47340bb83a907528caac6e8bd7ae4575
SHA-256: 14f3ffb48d5bbc39038550f3db76f3948153f8ae40a61c5da891aaad26eb8f4f
Size: 118.54 MB - firefox-68.8.0-1.0.1.AXS4.i686.rpm
MD5: 2a26afe229129217d2ffc4bc726a4a01
SHA-256: 77d02b53052ac77bf3e03ddea6804f6eef502c49c8601fd5407b56d92941c002
Size: 118.45 MB
English