Alpine: multiple firefox-esr packages: security update to 60.8.0-r0

critical Tenable Cloud Security Plugin ID 404422

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in
use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox
< 68, and Thunderbird < 60.8. (CVE-2019-11713)

- As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious
language pack and then opening a browser feature that used the compromised translation. This vulnerability
affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-9811)

- Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR
60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that
some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8,
Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11709)

- When an inner window is reused, it does not consider the use of document.domain for cross-origin
protections. If pages on different subdomains ever cooperatively use document.domain, then either page can
abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use
document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox <
68, and Thunderbird < 60.8. (CVE-2019-11711)

- POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass
CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This
vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11712)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-11709

https://security.alpinelinux.org/vuln/CVE-2019-11711

https://security.alpinelinux.org/vuln/CVE-2019-11712

https://security.alpinelinux.org/vuln/CVE-2019-11713

https://security.alpinelinux.org/vuln/CVE-2019-11715

https://security.alpinelinux.org/vuln/CVE-2019-11717

https://security.alpinelinux.org/vuln/CVE-2019-11719

https://security.alpinelinux.org/vuln/CVE-2019-11729

https://security.alpinelinux.org/vuln/CVE-2019-11730

https://security.alpinelinux.org/vuln/CVE-2019-9811

Plugin Details

Severity: Critical

ID: 404422

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.57

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-11713

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/9/2019

Reference Information

CVE: CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11729, CVE-2019-11730, CVE-2019-9811

BID: 109086