firefox-esr: Multiple vulnerabilities (CVE-2019-9811, CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11729, CVE-2019-11730)
- CVE-2019-9811: Sandbox escape via installation of malicious language pack
- CVE-2019-11711: Script injection within domain through inner window reuse
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
- CVE-2019-11715: HTML parsing error can contribute to content XSS
- CVE-2019-11717: Caret character improperly escaped in origins
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin
- CVE-2019-11709: Memory safety bugs
Fixed In Version:
Firefox ESR 60.8
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/
Affected branches:
-
master (6aadc57a) -
3.10-stable