Alpine: multiple firefox-esr packages: security update to 68.10.0-r0

high Tenable Self-Hosted Container Security Plugin ID 404426

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier,
resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox
on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird <
68.10.0. (CVE-2020-12417)

- Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process
memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and
Thunderbird < 68.10.0. (CVE-2020-12418)

- When processing callbacks that occurred during window flushing in the parent process, the associated
window may die; causing a use-after-free condition. This could have led to memory corruption and a
potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and
Thunderbird < 68.10.0. (CVE-2020-12419)

- When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer,
leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR <
68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420)

- When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even
if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date
silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78,
and Thunderbird < 68.10.0. (CVE-2020-12421)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-12417

https://security.alpinelinux.org/vuln/CVE-2020-12418

https://security.alpinelinux.org/vuln/CVE-2020-12419

https://security.alpinelinux.org/vuln/CVE-2020-12420

https://security.alpinelinux.org/vuln/CVE-2020-12421

Plugin Details

Severity: High

ID: 404426

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-12420

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/6/2020

Reference Information

CVE: CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12421