[ALAS2-2020-1468] Amazon Linux 2 2017.12 - ALAS2-2020-1468: important priority package update for thunderbird
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2020-12421:
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853018: CVE-2020-12421 Mozilla: Add-On updates did not respect the same certificate trust rules as software updates
CVE-2020-12420:
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853017: CVE-2020-12420 Mozilla: Use-After-Free when trying to connect to a STUN server
CVE-2020-12419:
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853016: CVE-2020-12419 Mozilla: Use-after-free in nsGlobalWindowInner
CVE-2020-12418:
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853015: CVE-2020-12418 Mozilla: Information disclosure due to manipulated URL object
CVE-2020-12417:
Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. Note: this issue only affects Firefox on ARM64 platforms. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
1853014: CVE-2020-12417 Mozilla: Memory corruption due to missing sign-extension for ValueTags on ARM64
Package | Affected Version |
---|---|
pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2 | < 68.9.0-1.amzn2 |
pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2 | < 68.9.0-1.amzn2 |
- ID
- ALAS2-2020-1468
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2020-1468.html
- Published
-
2020-07-21T16:34:00
(4 years ago) - Modified
-
2020-07-21T20:57:00
(4 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALPINE:CVE-2020-12417
- ALPINE:CVE-2020-12418
- ALPINE:CVE-2020-12419
- ALPINE:CVE-2020-12420
- ALPINE:CVE-2020-12421
- DSA-4713-1
- DSA-4718-1
- ELSA-2020-2824
- ELSA-2020-2827
- ELSA-2020-2828
- ELSA-2020-2906
- ELSA-2020-2966
- ELSA-2020-3038
- GLSA-202007-09
- GLSA-202007-10
- MFSA-2020-24
- MFSA-2020-25
- MFSA-2020-26
- MFSA-2020-29
- openSUSE-SU-2020:0967-1
- openSUSE-SU-2020:0982-1
- openSUSE-SU-2020:0983-1
- openSUSE-SU-2020:1017-1
- RHSA-2020:2824
- RHSA-2020:2827
- RHSA-2020:2828
- RHSA-2020:2906
- RHSA-2020:2966
- RHSA-2020:3038
- SUSE-SU-2020:1898-1
- SUSE-SU-2020:1899-1
- SUSE-SU-2020:1900-1
- USN-4408-1
- USN-4421-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2020-12417 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12417 | |
CVE | CVE-2020-12418 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418 | |
CVE | CVE-2020-12419 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419 | |
CVE | CVE-2020-12420 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420 | |
CVE | CVE-2020-12421 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/thunderbird?arch=x86_64&distro=amazonlinux-2 | amazonlinux | thunderbird | < 68.9.0-1.amzn2 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/thunderbird-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux | thunderbird-debuginfo | < 68.9.0-1.amzn2 | amazonlinux-2 | x86_64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |