Ubuntu Update for firefox USN-3991-3

Published: 2019-06-15 02:00:31
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:H/Au:N/C:N/I:N/A:P

Summary:
The remote host is missing an update for the 'firefox' Linux Distribution Package(s) announced via the USN-3991-3 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
USN-3991-1 fixed vulnerabilities in Firefox, and USN-3991-2 fixed a subsequent regression. The update caused an additional regression that resulted in Firefox failing to load correctly after executing it in safe mode. This update fixes the problem. We apologize for the inconvenience. Original advisory details:  Multiple security issues were discovered in Firefox. If a user were  tricked in to opening a specially crafted website, an attacker could  potentially exploit these to cause a denial of service, spoof the browser  UI, trick the user in to launching local executable binaries, obtain  sensitive information, conduct cross-site scripting (XSS) attacks, or  execute arbitrary code. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,  CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701,  CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819,  CVE-2019-9820, CVE-2019-9821)    It was discovered that pressing certain key combinations could bypass  addon installation prompt delays. If a user opened a specially crafted  website, an attacker could potentially exploit this to trick them in to  installing a malicious extension. (CVE-2019-11697)    It was discovered that history data could be exposed via drag and drop  of hyperlinks to and from bookmarks. If a user were tricked in to dragging  a specially crafted hyperlink to the bookmark toolbar or sidebar, and  subsequently back in to the web content area, an attacker could  potentially exploit this to obtain sensitive information. (CVE-2019-11698)    A type confusion bug was discovered with object groups and UnboxedObjects.  If a user were tricked in to opening a specially crafted website after  enabling the UnboxedObjects feature, an attacker could potentially  exploit this to bypass security checks. (CVE-2019-9816)

Affected Versions:
'firefox' Linux Distribution Package(s) on Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.

Recommendations:
Please install the updated Linux Distribution Package(s).

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2019-11691
https://nvd.nist.gov/vuln/detail/CVE-2019-11692
https://nvd.nist.gov/vuln/detail/CVE-2019-11693
https://nvd.nist.gov/vuln/detail/CVE-2019-11695
https://nvd.nist.gov/vuln/detail/CVE-2019-11696
https://nvd.nist.gov/vuln/detail/CVE-2019-11699
https://nvd.nist.gov/vuln/detail/CVE-2019-11701
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
https://nvd.nist.gov/vuln/detail/CVE-2019-9800
https://nvd.nist.gov/vuln/detail/CVE-2019-9814
https://nvd.nist.gov/vuln/detail/CVE-2019-9817
https://nvd.nist.gov/vuln/detail/CVE-2019-9819
https://nvd.nist.gov/vuln/detail/CVE-2019-9820
https://nvd.nist.gov/vuln/detail/CVE-2019-9821
https://nvd.nist.gov/vuln/detail/CVE-2019-11697
https://nvd.nist.gov/vuln/detail/CVE-2019-11698
https://nvd.nist.gov/vuln/detail/CVE-2019-9816

References:

https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-June/004959.html

Search
Severity
Low
CVSS Score
2.6

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.