Alpine: multiple firefox-esr packages: security update to 68.8.0-r0

critical Tenable Cloud Security Plugin ID 404435

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR
68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12395)

- A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to
memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-6831)

- A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This
resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76,
and Thunderbird < 68.8.0. (CVE-2020-12387)

- The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox
escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects
Firefox ESR < 68.8 and Firefox < 76. (CVE-2020-12388, CVE-2020-12389)

Solution

Update the firefox-esr library and its related packages to version 68.8.0-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2020-12387

https://security.alpinelinux.org/vuln/CVE-2020-12388

https://security.alpinelinux.org/vuln/CVE-2020-12389

https://security.alpinelinux.org/vuln/CVE-2020-12392

https://security.alpinelinux.org/vuln/CVE-2020-12393

https://security.alpinelinux.org/vuln/CVE-2020-12395

https://security.alpinelinux.org/vuln/CVE-2020-6831

Plugin Details

Severity: Critical

ID: 404435

Version: Revision 1.32

Type: Local

Published: 10/31/2023

Updated: 6/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-12395

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-12389

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/5/2020

Reference Information

CVE: CVE-2020-12387, CVE-2020-12388, CVE-2020-12389, CVE-2020-12392, CVE-2020-12393, CVE-2020-12395, CVE-2020-6831