Alpine: multiple firefox-esr packages: security update to 69.9.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 404437

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This
results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69,
Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11752)

- Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape
that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox
Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and
the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability
affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. (CVE-2019-9812)

- Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR
68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with
enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects
Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11740)

- A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of
SVG filters and a &lt;canvas&gt; element due to an error in how same-origin policy is applied to cached
image content. The resulting same-origin policy violation could allow for data theft. This vulnerability
affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
(CVE-2019-11742)

- Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in
some instances for the unload event, which restricts access to detailed timing attributes to only be same-
origin. This resulted in potential cross-origin information exposure of history through timing side-
channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox
ESR < 60.9, and Firefox ESR < 68.1. (CVE-2019-11743)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-11740

https://security.alpinelinux.org/vuln/CVE-2019-11742

https://security.alpinelinux.org/vuln/CVE-2019-11743

https://security.alpinelinux.org/vuln/CVE-2019-11744

https://security.alpinelinux.org/vuln/CVE-2019-11746

https://security.alpinelinux.org/vuln/CVE-2019-11752

https://security.alpinelinux.org/vuln/CVE-2019-9812

Plugin Details

Severity: Critical

ID: 404437

Version: Revision 1.31

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-11752

CVSS v3

Risk Factor: Critical

Base Score: 9.3

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-9812

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/3/2019

Reference Information

CVE: CVE-2019-11740, CVE-2019-11742, CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11752, CVE-2019-9812