ALT-BU-2020-3859-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2021-00099
Уязвимость подписи DSA веб-браузеров программного обеспечения Firefox, Firefox-esr и Thunderbird, связанная с раскрытием информации в результате расхождений, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2020-12399
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
- GLSA-202007-49
- USN-4421-1
- DSA-4726
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- DSA-4726
- USN-4421-1
- GLSA-202007-49
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
Closed vulnerabilities
BDU:2021-00078
Уязвимость веб-браузеров Firefox ESR и Firefox и почтового клиента Thunderbird, связанная с выходом операции за допустимые границы буфера данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2021-00094
Уязвимость модуля распаковки веб-браузеров Firefox ESR и Firefox и почтового клиента Thunderbird, связанная с недостатком механизма проверки подлинности данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2021-00095
Уязвимость браузера Firefox, связанная с выходом операции за допустимые границы буфера данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2021-00099
Уязвимость подписи DSA веб-браузеров программного обеспечения Firefox, Firefox-esr и Thunderbird, связанная с раскрытием информации в результате расхождений, позволяющая нарушителю получить доступ к конфиденциальным данным
BDU:2021-02028
Уязвимость компонента SharedWorkerService браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2020-12399
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
- GLSA-202007-49
- USN-4421-1
- DSA-4726
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- DSA-4726
- USN-4421-1
- GLSA-202007-49
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
Modified: 2024-11-21
CVE-2020-12405
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631618
- USN-4421-1
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631618
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- USN-4421-1
Modified: 2024-11-21
CVE-2020-12406
Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1639590
- USN-4421-1
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1639590
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- USN-4421-1
Modified: 2024-11-21
CVE-2020-12407
Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content. This vulnerability affects Firefox < 77.
Modified: 2024-11-21
CVE-2020-12408
When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. This vulnerability affects Firefox < 77.
Modified: 2024-11-21
CVE-2020-12409
When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. This vulnerability affects Firefox < 77.
Modified: 2024-11-21
CVE-2020-12410
Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1619305%2C1632717
- USN-4421-1
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1619305%2C1632717
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- USN-4421-1
Modified: 2024-11-21
CVE-2020-12411
Mozilla developers reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 77.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-13777
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
- openSUSE-SU-2020:0790
- https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
- FEDORA-2020-76b705bb63
- FEDORA-2020-4f78f122a3
- FEDORA-2020-ea11cb5ccc
- FEDORA-2020-0cce3578e2
- GLSA-202006-01
- https://security.netapp.com/advisory/ntap-20200619-0004/
- USN-4384-1
- DSA-4697
- openSUSE-SU-2020:0790
- DSA-4697
- USN-4384-1
- https://security.netapp.com/advisory/ntap-20200619-0004/
- GLSA-202006-01
- FEDORA-2020-0cce3578e2
- FEDORA-2020-ea11cb5ccc
- FEDORA-2020-4f78f122a3
- FEDORA-2020-76b705bb63
- https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03