Skip to main content
Skip table of contents

ISN 2024-08: Firefox ESR Vulnerabilities

First published 26 March 2024

CVSS 3.1: 9.8 (critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11

Details

Among the vulnerabilities found, one is rated as critical: An attacker might be able to inject an event handler into a privileged object, which may enable them to execute arbitrary code (CVE-2024-29944).

Apart from that, several issues rated as high have been identified. Several methods could have experienced integer overflows, causing underallocation of an output buffer, and leading to an out-of-bounds write (CVE-2024-2608). An out-of-bounds memory read was discovered in networking channels (CVE-2024-1546). ICU can be affected by resource exhaustion (CVE-2024-2616), and a TLS method in NSS can cause a potentially exploitable crash (CVE-2024-0743). Another issue enables an attacker to spoof an alert dialog on another site (CVE-2024-1547). Memory safety bugs conclude the list (CVE-2024-1553, CVE-2024-2614).

Update Instructions

  • OS 12: Update the OS 12 Firefox ESR App to version 115.9.1 when it is available on the IGEL App Portal.
  • OS 11: Update to IGEL 11.09.310 when it is available.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.