Alpine: thunderbird: security update to 68.8.0-r0

critical Tenable Cloud Security Plugin ID 427673

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR
68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12395)

- A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to
memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-6831)

- A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This
resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76,
and Thunderbird < 68.8.0. (CVE-2020-12387)

- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a
request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the
command into a terminal, it could have resulted in the disclosure of local files. This vulnerability
affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12392)

- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request,
which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command
into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this
issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12393)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-12387

https://security.alpinelinux.org/vuln/CVE-2020-12392

https://security.alpinelinux.org/vuln/CVE-2020-12393

https://security.alpinelinux.org/vuln/CVE-2020-12395

https://security.alpinelinux.org/vuln/CVE-2020-12397

https://security.alpinelinux.org/vuln/CVE-2020-6831

Plugin Details

Severity: Critical

ID: 427673

Version: Revision 1.2

Type: Local

Published: 5/16/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-12395

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-6831

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/5/2020

Reference Information

CVE: CVE-2020-12387, CVE-2020-12392, CVE-2020-12393, CVE-2020-12395, CVE-2020-12397, CVE-2020-6831

IAVA: 2020-A-0190-S