Announced 9 June 2020

Score: High

Four security issues rated as high affect the Firefox ESR web browser on:

  • IGEL OS 11
  • IGEL OS 10
  • IGEL Linux 5

Details

It has been discovered that a timing attack against Mozilla’s Network Security Services (NSS) library could leak private keys (CVE-2020-12399). Also, when browsing a malicious page, a race condition in SharedWorkerService could occur and lead to a potentially exploitable crash (CVE-2020-12405). A JavaScript type confusion with NativeTypes could result in a crash, and potentially to execution of arbitrary code (CVE-2020-12406). Further memory safety bugs showed evidence of memory corruption and Mozilla presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12411).

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.03.580 or newer.
  • IGEL OS 10: Update to IGEL OS 10.06.190 or newer.
  • IGEL Linux 5: This version does not have the space required for the Firefox ESR update. IGEL recommends removing the web browser feature if possible: Features.

References

 Mozilla Foundation Security Advisory 2020-21: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/