Alpine: multiple firefox-esr packages: security update to 115.6.0-r0

high Tenable Cloud Security Plugin ID 408231

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and
Firefox < 121. (CVE-2023-6864)

- The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems
with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox
escape. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.
(CVE-2023-6856)

- When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller
than necessary. *This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS).
Windows is unaffected.* This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox <
121. (CVE-2023-6857)

- Firefox was susceptible to a heap buffer overflow in `nsTextFragment` due to insufficient OOM handling.
This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121. (CVE-2023-6858)

- A use-after-free condition affected TLS socket creation when under memory pressure. This vulnerability
affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121. (CVE-2023-6859)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-6856

https://security.alpinelinux.org/vuln/CVE-2023-6857

https://security.alpinelinux.org/vuln/CVE-2023-6858

https://security.alpinelinux.org/vuln/CVE-2023-6859

https://security.alpinelinux.org/vuln/CVE-2023-6860

https://security.alpinelinux.org/vuln/CVE-2023-6861

https://security.alpinelinux.org/vuln/CVE-2023-6862

https://security.alpinelinux.org/vuln/CVE-2023-6863

https://security.alpinelinux.org/vuln/CVE-2023-6864

https://security.alpinelinux.org/vuln/CVE-2023-6865

https://security.alpinelinux.org/vuln/CVE-2023-6867

Plugin Details

Severity: High

ID: 408231

Version: Revision 1.12

Type: Local

Published: 1/16/2024

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-6864

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/18/2023

Reference Information

CVE: CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867