Announced 9 June 2020

Score: Critical

Two security issues rated critical and one rated high affect the Firefox ESR web browser on

  • IGEL OS 11
  • IGEL OS 10
  • IGEL Linux 5

Details

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. (CVE-2020-12387). Additionally, memory safety bugs have been reported in Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and Mozilla presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12395). Furthermore, a buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash (CVE-2020-6831).

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.03.580 or newer.
  • IGEL OS 10: Update to IGEL OS 10.06.180 or newer.
  • IGEL Linux v5: This version does not have the space required for the Firefox ESR update. IGEL recommends removing the web browser feature if possible: https://kb.igel.com/igellinux/en/features-2275613.html

References

Mozilla Foundation Security Advisory 2020-17: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/