Alpine: multiple firefox-esr packages: security update to 68.3.0-r0

high Tenable Cloud Security Plugin ID 404429

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3,
and Firefox < 71. (CVE-2019-17012)

- The plain text serializer used a fixed-size array for the number of <ol> elements it could process;
however it was possible to overflow the static-sized array leading to memory corruption and a potentially
exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17005)

- When using nested workers, a use-after-free could occur during worker destruction. This resulted in a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and
Firefox < 71. (CVE-2019-17008)

- When running, the updater service wrote status and log files to an unrestricted location; potentially
allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater
service. *Note: This attack requires local system access and only affects Windows. Other operating systems
are not affected.*. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17009)

- Under certain conditions, when checking the Resist Fingerprinting preference during device orientation
checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This
vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17010)

Solution

Update the firefox-esr library and its related packages to version 68.3.0-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2019-17005

https://security.alpinelinux.org/vuln/CVE-2019-17008

https://security.alpinelinux.org/vuln/CVE-2019-17009

https://security.alpinelinux.org/vuln/CVE-2019-17010

https://security.alpinelinux.org/vuln/CVE-2019-17011

https://security.alpinelinux.org/vuln/CVE-2019-17012

Plugin Details

Severity: High

ID: 404429

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-17012

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/3/2019

Reference Information

CVE: CVE-2019-17005, CVE-2019-17008, CVE-2019-17009, CVE-2019-17010, CVE-2019-17011, CVE-2019-17012