205 lines
9.7 KiB
JSON
205 lines
9.7 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20211158",
|
||
"Version": "oval:org.altlinux.errata:def:20211158",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2021-1158: package `firefox-esr` update to version 78.7.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p11"
|
||
],
|
||
"Products": [
|
||
"ALT Container"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2021-1158",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-1158",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-02087",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-02087",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-02088",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-02088",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-02089",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-02089",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-02090",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-02090",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-26976",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-26976",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-23953",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-23953",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-23954",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-23954",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-23960",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-23960",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-23964",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-23964",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades firefox-esr to version 78.7.0-alt1. \nSecurity Fix(es):\n\n * BDU:2021-02087: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибкой преобразования типов, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2021-02088: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2021-02089: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с включением функций из недостоверной контролируемой области, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-02090: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с некорректной обработкой нулевых байтов или символов NULL при обмене данными, позволяющая нарушителю повысить свои привилегии или вызвать отказ в обслуживании\n\n * CVE-2020-26976: When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox \u003c 84.\n\n * CVE-2021-23953: If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox \u003c 85, Thunderbird \u003c 78.7, and Firefox ESR \u003c 78.7.\n\n * CVE-2021-23954: Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox \u003c 85, Thunderbird \u003c 78.7, and Firefox ESR \u003c 78.7.\n\n * CVE-2021-23960: Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox \u003c 85, Thunderbird \u003c 78.7, and Firefox ESR \u003c 78.7.\n\n * CVE-2021-23964: Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 85, Thunderbird \u003c 78.7, and Firefox ESR \u003c 78.7.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2021-01-26"
|
||
},
|
||
"Updated": {
|
||
"Date": "2021-01-26"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2021-02087",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-843",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-02087",
|
||
"Impact": "High",
|
||
"Public": "20210126"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-02088",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-02088",
|
||
"Impact": "High",
|
||
"Public": "20210126"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-02089",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-829",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-02089",
|
||
"Impact": "Low",
|
||
"Public": "20210126"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-02090",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-626",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-02090",
|
||
"Impact": "High",
|
||
"Public": "20210126"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2020-26976",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-26976",
|
||
"Impact": "Low",
|
||
"Public": "20210107"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-23953",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-23953",
|
||
"Impact": "Low",
|
||
"Public": "20210226"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-23954",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-843",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-23954",
|
||
"Impact": "High",
|
||
"Public": "20210226"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-23960",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-23960",
|
||
"Impact": "High",
|
||
"Public": "20210226"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-23964",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-23964",
|
||
"Impact": "High",
|
||
"Public": "20210226"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:container:11"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211158001",
|
||
"Comment": "firefox-esr is earlier than 0:78.7.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211158002",
|
||
"Comment": "firefox-esr-config-privacy is earlier than 0:78.7.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211158003",
|
||
"Comment": "firefox-esr-wayland is earlier than 0:78.7.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |