Headline
Ubuntu Security Notice USN-6779-2
Ubuntu Security Notice 6779-2 - USN-6779-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service.
==========================================================================Ubuntu Security Notice USN-6779-2May 29, 2024firefox regressions==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:USN-6779-1 caused some minor regressions in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:USN-6779-1 fixed vulnerabilities in Firefox. The update introducedseveral minor regressions. This update fixes the problem.Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS firefox 126.0.1+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References: https://ubuntu.com/security/notices/USN-6779-2 https://ubuntu.com/security/notices/USN-6779-1 https://launchpad.net/bugs/2067445Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0.1+build1-0ubuntu0.20.04.1Related news
OX App Suite frontend version 7.10.6-rev44 suffers from a cross site scripting vulnerability.
Debian Linux Security Advisory 5742-1 - A vulnerability was discovered in odoo, a suite of web based open source business apps. It could result in the execution of arbitrary code.
Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.
Red Hat Security Advisory 2024-3784-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3783-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.
### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645