ALAS2-2020-1468


Amazon Linux 2 Security Advisory: ALAS-2020-1468
Advisory Release Date: 2020-07-21 16:34 Pacific
Advisory Updated Date: 2020-07-21 20:57 Pacific
Severity: Important

Issue Overview:

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12418 )

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12419 )

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12421 )

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12420 )

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0. (CVE-2020-12417 )


Affected Packages:

thunderbird


Issue Correction:
Run yum update thunderbird to update your system.

New Packages:
src:
    thunderbird-68.9.0-1.amzn2.src

x86_64:
    thunderbird-68.9.0-1.amzn2.x86_64
    thunderbird-debuginfo-68.9.0-1.amzn2.x86_64