Alpine: multiple firefox-esr packages: security update to 102.10.0-r0

critical Tenable Cloud Security Plugin ID 404393

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could have been exploited to run
arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10,
Firefox for Android < 112, and Thunderbird < 102.10. (CVE-2023-29550)

- Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially
exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.
(CVE-2023-1945)

- There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode()
function and loop through to free best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the
AddressSanitizer will attempt a double free. (CVE-2023-1999)

- An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory
corruption and a potentially exploitable crash. *This bug only affects Firefox and Thunderbird for macOS.
Other operating systems are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10,
and Thunderbird < 102.10. (CVE-2023-29531)

- A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by
pointing the service at an update file on a malicious SMB server. The update file can be replaced after
the signature check, before the use, because the write-lock requested by the service does not work on a
SMB server. *Note: This attack requires local system access and only affects Windows. Other operating
systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird
< 102.10. (CVE-2023-29532)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-1945

https://security.alpinelinux.org/vuln/CVE-2023-1999

https://security.alpinelinux.org/vuln/CVE-2023-29531

https://security.alpinelinux.org/vuln/CVE-2023-29532

https://security.alpinelinux.org/vuln/CVE-2023-29533

https://security.alpinelinux.org/vuln/CVE-2023-29535

https://security.alpinelinux.org/vuln/CVE-2023-29536

https://security.alpinelinux.org/vuln/CVE-2023-29539

https://security.alpinelinux.org/vuln/CVE-2023-29541

https://security.alpinelinux.org/vuln/CVE-2023-29542

https://security.alpinelinux.org/vuln/CVE-2023-29545

https://security.alpinelinux.org/vuln/CVE-2023-29548

https://security.alpinelinux.org/vuln/CVE-2023-29550

Plugin Details

Severity: Critical

ID: 404393

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 3/16/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-29550

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2023-29542

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/11/2023

Reference Information

CVE: CVE-2023-1945, CVE-2023-1999, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550