[ALAS2-2020-1468] Amazon Linux 2 2017.12 - ALAS2-2020-1468: important priority package update for thunderbird

Severity Important

Affected Packages 2

CVEs 5

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2020-12421:
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853018: CVE-2020-12421 Mozilla: Add-On updates did not respect the same certificate trust rules as software updates

CVE-2020-12420:
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853017: CVE-2020-12420 Mozilla: Use-After-Free when trying to connect to a STUN server

CVE-2020-12419:
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853016: CVE-2020-12419 Mozilla: Use-after-free in nsGlobalWindowInner

CVE-2020-12418:
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853015: CVE-2020-12418 Mozilla: Information disclosure due to manipulated URL object

CVE-2020-12417:
Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. Note: this issue only affects Firefox on ARM64 platforms. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853014: CVE-2020-12417 Mozilla: Memory corruption due to missing sign-extension for ValueTags on ARM64

Package	Affected Version
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	< 68.9.0-1.amzn2
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	< 68.9.0-1.amzn2

ID

ALAS2-2020-1468

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2020-1468.html

Published

2020-07-21T16:34:00
(4 years ago)

Modified

2020-07-21T20:57:00
(4 years ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2020-12417	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12417
CVE	CVE-2020-12418	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418
CVE	CVE-2020-12419	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419
CVE	CVE-2020-12420	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420
CVE	CVE-2020-12421	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird	< 68.9.0-1.amzn2	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	thunderbird-debuginfo	< 68.9.0-1.amzn2	amazonlinux-2	x86_64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date