firefox vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
* Ubuntu 19.10
* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS
Summary
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description
* firefox - Mozilla Open Source web browser
Details
Multiple security issues were discovered in Firefox. If a user
were tricked in to opening a specially crafted website, an
attacker could potentially exploit these to cause a denial of
service, spoof the URL or other browser chrome, obtain sensitive
information, bypass Content Security Policy (CSP) protections, or
execute arbitrary code. (CVE-2019-20503, CVE-2020-6805,
CVE-2020-6806, CVE-2020-6807, CVE-2020-6808, CVE-2020-6810,
CVE-2020-6812, CVE-2020-6813, CVE-2020-6814, CVE-2020-6815)
It was discovered that Web Extensions with the all-url permission
could access local files. If a user were tricked in to installing
a specially crafted extension, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2020-6809)
It was discovered that the Devtools' `Copy as cURL' feature did
not fully escape website-controlled data. If a user were tricked
in to using the `Copy as cURL' feature to copy and paste a command
with specially crafted data in to a terminal, an attacker could
potentially exploit this to execute arbitrary commands via command
injection. (CVE-2020-6811)
Update instructions
The problem can be corrected by updating your system to the
following package versions:
Ubuntu 19.10
firefox - 74.0+build3-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
firefox - 74.0+build3-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
firefox - 74.0+build3-0ubuntu0.16.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References
* CVE-2019-20503
* CVE-2020-6805
* CVE-2020-6806
* CVE-2020-6807
* CVE-2020-6808
* CVE-2020-6809
* CVE-2020-6810
* CVE-2020-6811
* CVE-2020-6812
* CVE-2020-6813
* CVE-2020-6814
* CVE-2020-6815
--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)