{"id":"MGASA-2020-0377","summary":"Updated firefox packages fix security vulnerabilities","details":"Mozilla developer Jason Kratzer reported memory safety bugs present in Firefox\nESR 78.2. Some of these bugs showed evidence of memory corruption and we\npresume that with enough effort some of these could have been exploited to run\narbitrary code (CVE-2020-15673).\n\nFirefox sometimes ran the onload handler for SVG elements that the DOM\nsanitizer decided to remove, resulting in a XSS issue due to JavaScript being\nexecuted after pasting attacker-controlled data into a contenteditable element\n(CVE-2020-15676).\n\nBy exploiting an Open Redirect vulnerability on a website, an attacker could\nhave spoofed the site displayed in the download file dialog to show the\noriginal site (the one suffering from the open redirect) rather than the site\nthe file was actually downloaded from (CVE-2020-15677).\n\nWhen recursing through graphical layers while scrolling, an iterator may have\nbecome invalid, resulting in a potential use-after-free. This occurs because\nthe function APZCTreeManager::ComputeClippedCompositionBounds did not follow\niterator invalidation rules (CVE-2020-15678).\n\nThe firefox package has been updated to the 78.x ESR branch, which brings\nsignificant changes in how CA certificates and smart cards are loaded into\nFirefox.\n\nThe root CA certificates are no longer statically built into the nss library.\nThey are loaded dynamically via p11-kit-trust, and therefore may be modified\nby the system administrator. Smart card support should be automatically loaded\nvia p11-kit-trust as well, rather than requiring opensc to be manually loaded.\nNSS also now complies with the system crypto policy, which is provided by the\ncrypto-policies package.  See the fedoraproject references for details.\n","modified":"2026-04-16T04:44:03.690390317Z","published":"2020-09-30T10:01:40Z","upstream":["CVE-2020-15673","CVE-2020-15676","CVE-2020-15677","CVE-2020-15678"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0377.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26711"},{"type":"WEB","url":"https://fedoraproject.org/wiki/Changes/CryptoPolicy"},{"type":"WEB","url":"https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules"},{"type":"WEB","url":"https://groups.google.com/g/mozilla.dev.tech.nspr/c/zrirzzoOjeg"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/"}],"affected":[{"package":{"name":"crypto-policies","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/crypto-policies?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20200813-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"p11-kit","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/p11-kit?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.23.21-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"nspr","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/nspr?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.29-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"rootcerts","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/rootcerts?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20200911.00-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"nss","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.57.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"firefox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.3.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.3.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0377.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}