Announced 9 June 2020
Score: High
Four security issues rated as high affect the Firefox ESR web browser on:
-
IGEL OS 11
-
IGEL OS 10
-
IGEL Linux 5
Details
It has been discovered that a timing attack against Mozilla’s Network Security Services (NSS) library could leak private keys (CVE-2020-12399). Also, when browsing a malicious page, a race condition in SharedWorkerService could occur and lead to a potentially exploitable crash (CVE-2020-12405). A JavaScript type confusion with NativeTypes could result in a crash, and potentially to execution of arbitrary code (CVE-2020-12406). Further memory safety bugs showed evidence of memory corruption and Mozilla presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12411).
Update Instructions
-
IGEL OS 11: Update to IGEL OS 11.03.580 or newer.
-
IGEL OS 10: Update to IGEL OS 10.06.190 or newer.
-
IGEL Linux 5: This version does not have the space required for the Firefox ESR update. IGEL recommends removing the web browser feature if possible.
References
Mozilla Foundation Security Advisory 2020-21: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/