Bug 50623 - firefox-esr: Multiple issues (4.3)
firefox-esr: Multiple issues (4.3)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-5-errata
Assigned To: Quality Assurance
Philipp Hahn
Depends on:
  Show dependency treegraph
Reported: 2019-12-11 10:02 CET by Quality Assurance
Modified: 2019-12-11 17:06 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) NVD RedHat


Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-12-11 10:02:47 CET
New Debian firefox-esr 68.3.0esr-1~deb9u1 fixes:
This update addresses the following issues:
* Tor Browser through 8.5.3 has an information exposure vulnerability. It  allows remote attackers to detect the browser's language via vectors  involving an IFRAME element, because text in that language is included in  the title attribute of a LINK element for a non-HTML page. This is related  to a behavior of Firefox before 68. (CVE-2019-13075)
* Buffer overflow in plain text serializer (CVE-2019-17005)
* Use-after-free in worker destruction (CVE-2019-17008)
* Use-after-free when performing device orientation checks (CVE-2019-17010)
* Use-after-free when retrieving a document in antitracking (CVE-2019-17011)
* Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3  (CVE-2019-17012)
Comment 1 Quality Assurance univentionstaff 2019-12-11 10:04:33 CET
--- mirror/ftp/4.3/unmaintained/component/4.3-5-errata/source/firefox-esr_68.2.0esr-1~deb9u2.dsc
+++ apt/ucs_4.3-0-errata4.3-5/source/firefox-esr_68.3.0esr-1~deb9u1.dsc
@@ -1,3 +1,18 @@
+68.3.0esr-1~deb9u1 [Sat, 07 Dec 2019 08:58:01 +0900] Mike Hommey <glandium@debian.org>:
+  * New upstream release.
+  * Fixes for mfsa2019-37, also known as:
+    CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005,
+    CVE-2019-17011, CVE-2019-17012.
+  * debian/control.in: Bump nss build dependencies.
+  * intl/icu_sources_data.py:
+    - Revert change from 68.2.0esr-1~deb9u2.
+    - Don't build ICU in parallel.
+  * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around
+    GCC ICEs on arm.
+    (Thanks Emilio Pozuelo Monfort)
 68.2.0esr-1~deb9u2 [Wed, 06 Nov 2019 12:22:11 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
   * Don't set the NASM make variable on architectures without nasm, fixes

Comment 2 Philipp Hahn univentionstaff 2019-12-11 16:06:03 CET
OK: yaml
OK: announce_errata
OK: patch
FAIL: piuparts

[4.3-5] 20b4da1790 Bug #50623: firefox-esr 68.3.0esr-1~deb9u1
 doc/errata/staging/firefox-esr.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
Comment 3 Erik Damrose univentionstaff 2019-12-11 17:06:32 CET