firefox-esr: Multiple vulnerabilities in versions before 78.5
- CVE-2020-15683: Memory safety bugs
- CVE-2020-15969: Use-after-free in usersctp
Fixed In Version:
Firefox ESR 78.4
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/
- CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for
Fixed In Version:
Firefox ESR 78.4.1
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/
- CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
- CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
- CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
- CVE-2020-26956: XSS through paste (manual and clipboard API)
- CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
- CVE-2020-26959: Use-after-free in WebRequestService
- CVE-2020-26960: Potential use-after-free in uses of nsTArray
- CVE-2020-15999: Heap buffer overflow in freetype
- CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
- CVE-2020-26965: Software keyboards may have remembered typed passwords
- CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
Fixed In Version:
Firefox ESR 78.5
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/#CVE-2020-26956
Affected branches:
-
master -
3.12-stable