Ubuntu Update for firefox USN-4122-1

Published: 2019-09-05 02:00:38
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary:
The remote host is missing an update for the 'firefox' Linux Distribution Package(s) announced via the USN-4122-1 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, bypass Content Security Policy (CSP) protections, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, cause a denial of service, or execute arbitrary code. (CVE-2019-5849, CVE-2019-11734, CVE-2019-11735, CVE-2019-11737, CVE-2019-11738, CVE-2019-11740, CVE-2019-11742, CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11752) It was discovered that a compromised content process could log in to a malicious Firefox Sync account. An attacker could potentially exploit this, in combination with another vulnerability, to disable the sandbox. (CVE-2019-9812) It was discovered that addons.mozilla.org and accounts.firefox.com could be loaded in to the same content process. An attacker could potentially exploit this, in combination with another vulnerability that allowed a cross-site scripting (XSS) attack, to modify browser settings. (CVE-2019-11741) It was discovered that the 'Forget about this site' feature in the history pane removes HTTP Strict Transport Security (HSTS) settings for sites on the pre-load list. An attacker could potentially exploit this to bypass the protections offered by HSTS. (CVE-2019-11747)

Affected Versions:
'firefox' Linux Distribution Package(s) on Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.

Recommendations:
Please install the updated Linux Distribution Package(s).

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2019-5849
https://nvd.nist.gov/vuln/detail/CVE-2019-11734
https://nvd.nist.gov/vuln/detail/CVE-2019-11735
https://nvd.nist.gov/vuln/detail/CVE-2019-11737
https://nvd.nist.gov/vuln/detail/CVE-2019-11738
https://nvd.nist.gov/vuln/detail/CVE-2019-11740
https://nvd.nist.gov/vuln/detail/CVE-2019-11742
https://nvd.nist.gov/vuln/detail/CVE-2019-11743
https://nvd.nist.gov/vuln/detail/CVE-2019-11744
https://nvd.nist.gov/vuln/detail/CVE-2019-11746
https://nvd.nist.gov/vuln/detail/CVE-2019-11748
https://nvd.nist.gov/vuln/detail/CVE-2019-11749
https://nvd.nist.gov/vuln/detail/CVE-2019-11750
https://nvd.nist.gov/vuln/detail/CVE-2019-11752
https://nvd.nist.gov/vuln/detail/CVE-2019-9812
https://nvd.nist.gov/vuln/detail/CVE-2019-11741
https://nvd.nist.gov/vuln/detail/CVE-2019-11747

References:

https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-September/005100.html

Search
Severity
Medium
CVSS Score
5.0

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.