Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
Among the vulnerabilities found, one is rated as critical: An attacker might be able to inject an event handler into a privileged object, which may enable them to execute arbitrary code (CVE-2024-29944).
Apart from that, several issues rated as high have been identified. Several methods could have experienced integer overflows, causing underallocation of an output buffer, and leading to an out-of-bounds write (CVE-2024-2608). An out-of-bounds memory read was discovered in networking channels (CVE-2024-1546). ICU can be affected by resource exhaustion (CVE-2024-2616), and a TLS method in NSS can cause a potentially exploitable crash (CVE-2024-0743). Another issue enables an attacker to spoof an alert dialog on another site (CVE-2024-1547). Memory safety bugs conclude the list (CVE-2024-1553, CVE-2024-2614).
Update Instructions
OS 12: Update the OS 12 Firefox ESR App to version 115.9.1 when it is available on the IGEL App Portal.
OS 11: Update to IGEL 11.09.310 when it is available.