Opened 6 weeks ago
Closed 6 weeks ago
#19499 closed enhancement (fixed)
firefox-115.9.0esr
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 12.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Now available, Release Announcement due tomorrow.
Change History (5)
follow-up: 2 comment:1 by , 6 weeks ago
| Priority: | normal → high |
|---|
follow-up: 3 comment:2 by , 6 weeks ago
Replying to ken@…:
For CVE-2024-2616 the link is to https://bugzilla.mozilla.org/show_bug.cgi?id=1846197 which is of course not yet public. Given that mozilla prefers to use the bundled icu4x [https://github.com/unicode-org/icu4x] I am unsure if their hardening is in the mozilla code which calls icu, in icu4x itself, or in only their shipped icu4x. Interesting that they rate it as High. Awaiting analysis at NVD, no details except the advisories and the bug link.
The relevant change seems https://hg.mozilla.org/releases/mozilla-esr115/rev/ed4feddaa2024cc0d9af4de7aa16cde901b2702b. It changes the mozilla code allocating the memory for ICU.
comment:3 by , 6 weeks ago
Replying to Xi Ruoyao:
Replying to ken@…:
For CVE-2024-2616 the link is to https://bugzilla.mozilla.org/show_bug.cgi?id=1846197 which is of course not yet public. Given that mozilla prefers to use the bundled icu4x [https://github.com/unicode-org/icu4x] I am unsure if their hardening is in the mozilla code which calls icu, in icu4x itself, or in only their shipped icu4x. Interesting that they rate it as High. Awaiting analysis at NVD, no details except the advisories and the bug link.
The relevant change seems https://hg.mozilla.org/releases/mozilla-esr115/rev/ed4feddaa2024cc0d9af4de7aa16cde901b2702b. It changes the mozilla code allocating the memory for ICU.
Many thanks!
comment:5 by , 6 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Advisory SA-12.1-008 created.
Release Notes https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
CVE-2024-0743: Crash in NSS TLS method High
CVE-2024-2608 Integer overflow could have led to out of bounds write High
CVE-2024-2616 Improve handling of out-of-memory conditions in ICU. High
CVE-2023-5388: NSS susceptible to timing attack against RSA decryption Medium
CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce leakage Medium
CVE-2024-2611: Clickjacking vulnerability could have led to a user accidentally granting permissions Medium
CVE-2024-2612: Self referencing object could have potentially led to a use-afer-free Medium
CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9 Thunderbird 115.9 High
Also CVE-2024-2605 for Windows, CVE-2024-2607 for Arm V7-A
For CVE-2024-2616 the link is to https://bugzilla.mozilla.org/show_bug.cgi?id=1846197 which is of course not yet public. Given that mozilla prefers to use the bundled icu4x [https://github.com/unicode-org/icu4x] I am unsure if their hardening is in the mozilla code which calls icu, in icu4x itself, or in only their shipped icu4x. Interesting that they rate it as High. Awaiting analysis at NVD, no details except the advisories and the bug link.
For CVE-2023-5388 the position at NVD is similar (links are for FF and TB). I assume that using current system NSS fixes this (we are on 3.98, FF-115.9.0 updated shipped nss to 3.90.2.