Alpine: multiple firefox-esr packages: security update to 78.5.0-r0

critical Tenable Cloud Security Plugin ID 404447

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and
Thunderbird < 78.5. (CVE-2020-26968)

- Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR
78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4,
Firefox < 82, and Thunderbird < 78.4. (CVE-2020-15683)

- Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page. (CVE-2020-15969)

- Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to
potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)

- Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote
attacker to leak cross-origin data via a crafted HTML page. (CVE-2020-16012)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-15683

https://security.alpinelinux.org/vuln/CVE-2020-15969

https://security.alpinelinux.org/vuln/CVE-2020-15999

https://security.alpinelinux.org/vuln/CVE-2020-16012

https://security.alpinelinux.org/vuln/CVE-2020-26950

https://security.alpinelinux.org/vuln/CVE-2020-26951

https://security.alpinelinux.org/vuln/CVE-2020-26953

https://security.alpinelinux.org/vuln/CVE-2020-26956

https://security.alpinelinux.org/vuln/CVE-2020-26958

https://security.alpinelinux.org/vuln/CVE-2020-26959

https://security.alpinelinux.org/vuln/CVE-2020-26960

https://security.alpinelinux.org/vuln/CVE-2020-26961

https://security.alpinelinux.org/vuln/CVE-2020-26965

https://security.alpinelinux.org/vuln/CVE-2020-26966

https://security.alpinelinux.org/vuln/CVE-2020-26968

Plugin Details

Severity: Critical

ID: 404447

Version: Revision 1.31

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.3

Percentile: 99.81

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-26968

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2020-15683

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/6/2020

CISA Known Exploited Vulnerability Due Dates: 11/17/2021

Exploitable With

Metasploit (Firefox MCallGetProperty Write Side Effects Use After Free Exploit)

Reference Information

CVE: CVE-2020-15683, CVE-2020-15969, CVE-2020-15999, CVE-2020-16012, CVE-2020-26950, CVE-2020-26951, CVE-2020-26953, CVE-2020-26956, CVE-2020-26958, CVE-2020-26959, CVE-2020-26960, CVE-2020-26961, CVE-2020-26965, CVE-2020-26966, CVE-2020-26968