MGASA-2020-0009

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2020-0009.html
Import Source
https://advisories.mageia.org/MGASA-2020-0009.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2020-0009
Related
Published
2020-01-05T15:37:51Z
Modified
2020-01-05T15:10:52Z
Summary
Updated mozjs60 packages fix security vulnerability
Details

The updated packages fix security vulnerabilities:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. (CVE-2019-11707)

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708)

The mozjs60 package has been updated to version 60.9.0, fixing these issues and other bugs. The gjs package has been rebuilt against the updated mozjs60.

References
Credits

Affected packages

Mageia:7 / mozjs60

Package

Name
mozjs60
Purl
pkg:rpm/mageia/mozjs60?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
60.9.0-1.mga7

Ecosystem specific 

{
    "section": "core"
}

Mageia:7 / gjs

Package

Name
gjs
Purl
pkg:rpm/mageia/gjs?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.56.2-1.1.mga7

Ecosystem specific 

{
    "section": "core"
}