Alpine: multiple firefox-esr packages: security update to 60.6.1-r0

critical Tenable Self-Hosted Container Security Plugin ID 426867

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the
refresh driver twice when only a single registration is expected. When a registration is later freed with
the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer
to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and
Firefox < 66. (CVE-2019-9796)

- When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a
PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent
through the proxy to another server. This behavior is disallowed by default when a proxy is manually
configured, but when enabled could allow for attacks on services and tools that bind to the localhost for
networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65.
(CVE-2018-18506)

- Mozilla developers and community members reported memory safety bugs present in Firefox 65, Firefox ESR
60.5, and Thunderbird 60.5. Some of these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects
Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. (CVE-2019-9788)

- A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using
JavaScript and the element is then removed while still in use. This results in a potentially exploitable
crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
(CVE-2019-9790)

- The type inference system allows the compilation of functions that can cause type confusions between
arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor
function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and
writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR
< 60.6, and Firefox < 66. (CVE-2019-9791)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-18506

https://security.alpinelinux.org/vuln/CVE-2019-9788

https://security.alpinelinux.org/vuln/CVE-2019-9790

https://security.alpinelinux.org/vuln/CVE-2019-9791

https://security.alpinelinux.org/vuln/CVE-2019-9792

https://security.alpinelinux.org/vuln/CVE-2019-9793

https://security.alpinelinux.org/vuln/CVE-2019-9794

https://security.alpinelinux.org/vuln/CVE-2019-9795

https://security.alpinelinux.org/vuln/CVE-2019-9796

https://security.alpinelinux.org/vuln/CVE-2019-9801

https://security.alpinelinux.org/vuln/CVE-2019-9810

https://security.alpinelinux.org/vuln/CVE-2019-9813

Plugin Details

Severity: Critical

ID: 426867

Version: Revision 1.6

Type: Local

Published: 5/16/2025

Updated: 11/25/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

Percentile: 99.76

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9796

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/29/2019

Reference Information

CVE: CVE-2018-18506, CVE-2019-9788, CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9793, CVE-2019-9794, CVE-2019-9795, CVE-2019-9796, CVE-2019-9801, CVE-2019-9810, CVE-2019-9813

BID: 106773, 107487, 107548