Errata ALT-PU-2021-2636-1: Information
Fixes
Published: Aug. 10, 2021
BDU:2021-04068
Уязвимость браузера Mozilla Firefox, позволяющая нарушителю выполнить произвольный код в целевой системе
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 10, 2021
BDU:2021-04069
Уязвимость веб-браузеров Firefox, Firefox ESR, почтового клиента Thunderbird, связанная с возникновением конфликта интерпретаций, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 10, 2021
BDU:2021-04070
Уязвимость браузера Mozilla Firefox, позволяющая нарушителю выполнить произвольный код в целевой системе
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 10, 2021
BDU:2021-04071
Уязвимость браузера Mozilla Firefox, позволяющая нарушителю выполнить произвольный код в целевой системе
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 10, 2021
BDU:2021-04072
Уязвимость метода MediaCacheStream::NotifyDataReceived почтового клиента Thunderbird, браузеров Firefox и Firefox ESR, позволяющая нарушителю выполнить произвольный код в целевой системе
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 10, 2021
BDU:2021-04073
Уязвимость браузера Mozilla Firefox, позволяющая нарушителю выполнить произвольный код в целевой системе
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Sept. 8, 2021
BDU:2021-04558
Уязвимость браузера Mozilla Firefox, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Nov. 3, 2021
BDU:2021-06060
Уязвимость почтового клиента Thunderbird, браузера Firefox, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
Severity: HIGH (8.1) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Links:
Published: Aug. 17, 2021
BDU:2022-01890
Уязвимость компонента JIT веб-браузера Firefox, почтового клиента Thunderbird, позволяющая нарушителю получить доступ к конфиденциальным данным
Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Links:
Published: Aug. 18, 2021
BDU:2022-01891
Уязвимость компонента JIT веб-браузера Firefox, почтового клиента Thunderbird, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: June 12, 2021
BDU:2022-02172
Уязвимость панели разрешений веб-браузера Firefox, почтового клиента Thunderbird, связанная с недостатками процедуры аутентификации, позволяющая нарушителю получить доступ к конфиденциальным данным
Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Links:
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29980
Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1722204
- https://www.mozilla.org/security/advisories/mfsa2021-34/
- https://www.mozilla.org/security/advisories/mfsa2021-33/
- https://www.mozilla.org/security/advisories/mfsa2021-36/
- https://www.mozilla.org/security/advisories/mfsa2021-35/
- GLSA-202202-03
- GLSA-202208-14
Published: Aug. 17, 2021
Modified: March 16, 2022
Modified: March 16, 2022
CVE-2021-29981
An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. This vulnerability affects Firefox < 91 and Thunderbird < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Aug. 17, 2021
Modified: March 16, 2022
Modified: March 16, 2022
CVE-2021-29982
Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. This vulnerability affects Firefox < 91 and Thunderbird < 91.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Links:
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29984
Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
- https://www.mozilla.org/security/advisories/mfsa2021-34/
- https://www.mozilla.org/security/advisories/mfsa2021-33/
- https://www.mozilla.org/security/advisories/mfsa2021-36/
- https://www.mozilla.org/security/advisories/mfsa2021-35/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1720031
- GLSA-202202-03
- GLSA-202208-14
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29985
A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
- https://www.mozilla.org/security/advisories/mfsa2021-34/
- https://www.mozilla.org/security/advisories/mfsa2021-33/
- https://www.mozilla.org/security/advisories/mfsa2021-36/
- https://www.mozilla.org/security/advisories/mfsa2021-35/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1722083
- GLSA-202202-03
- GLSA-202208-14
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29986
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://www.mozilla.org/security/advisories/mfsa2021-34/
- https://www.mozilla.org/security/advisories/mfsa2021-33/
- https://www.mozilla.org/security/advisories/mfsa2021-36/
- https://www.mozilla.org/security/advisories/mfsa2021-35/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1696138
- GLSA-202202-03
- GLSA-202208-14
Published: Aug. 17, 2021
Modified: March 16, 2022
Modified: March 16, 2022
CVE-2021-29987
After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Links:
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29988
Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
- https://www.mozilla.org/security/advisories/mfsa2021-34/
- https://www.mozilla.org/security/advisories/mfsa2021-33/
- https://www.mozilla.org/security/advisories/mfsa2021-36/
- https://www.mozilla.org/security/advisories/mfsa2021-35/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1717922
- GLSA-202202-03
- GLSA-202208-14
Published: Aug. 17, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-29989
Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Nov. 3, 2021
Modified: Nov. 5, 2021
Modified: Nov. 5, 2021
CVE-2021-29991
Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Links:
Published: Nov. 3, 2021
Modified: Dec. 9, 2022
Modified: Dec. 9, 2022
CVE-2021-38493
Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links: