This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============7065124198295641021== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="G4ZtZBatJhoznAxiHPS4mloKULTcdYLzw"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --G4ZtZBatJhoznAxiHPS4mloKULTcdYLzw Content-Type: multipart/mixed; boundary="KysTYbJNpN0y7u2w6Jr5jRV5EOjpJclct"; protected-headers="v1" From: Chris Coulson <chris.coulson@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <51e55c34-874c-a925-6e14-60c2f989bcf9@canonical.com> Subject: [USN-4054-2] Firefox regressions
--KysTYbJNpN0y7u2w6Jr5jRV5EOjpJclct Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable Content-Language: en-US
========================================================================== Ubuntu Security Notice USN-4054-2 July 25, 2019
firefox regressions ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS
Summary:
USN-4054-1 caused some minor regressions in Firefox.
Software Description: - firefox: Mozilla Open Source web browser
Details:
USN-4054-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems.
We apologize for the inconvenience.
Original advisory details:
A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. (CVE-2019-9811) Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass same origin restrictions, conduct cross-site scripting (XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof origin attributes, spoof the addressbar contents, bypass safebrowsing protections, or execute arbitrary code. (CVE-2019-11709, CVE-2019-11710, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-11718, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11729) It was discovered that Firefox treats all files in a directory as same origin. If a user were tricked in to downloading a specially crafted HTML file, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2019-11730)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 19.04: firefox 68.0.1+build1-0ubuntu0.19.04.1
Ubuntu 18.04 LTS: firefox 68.0.1+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: firefox 68.0.1+build1-0ubuntu0.16.04.1
After a standard system update you need to restart Firefox to make all the necessary changes.
References: https://usn.ubuntu.com/4054-2 https://usn.ubuntu.com/4054-1 https://launchpad.net/bugs/1837941
Package Information: https://launchpad.net/ubuntu/+source/firefox/68.0.1+build1-0ubuntu0.19.04.1 https://launchpad.net/ubuntu/+source/firefox/68.0.1+build1-0ubuntu0.18.04.1 https://launchpad.net/ubuntu/+source/firefox/68.0.1+build1-0ubuntu0.16.04.1
--KysTYbJNpN0y7u2w6Jr5jRV5EOjpJclct--
--G4ZtZBatJhoznAxiHPS4mloKULTcdYLzw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAl06Dd0ACgkQYR+97NWU bg/lgwf/R+0qNt65Zzc1VixPR94TaQdWV/7knmgQwL5KbEEfOUJlGzHtPeZzZtVq zCddWXO/q6Oc2GYbIBg7lddjPLnk+1Hxptc791Qyjcar1ETQ9YKySbn2yDkySfHg Gg/OvGxMcC8wmUZEUqj+yaFcw7p0fboXnz45Puc7F5v85NY9SdGd4e6+ROkuTaEI 5YrsyUVDkXwY662YG1bRbj+TdIr/UOxlwP8FIL1CuZX3mjCtqPLQx8gGOjf14iSp qj5xAxnzbl8Aad02moVpdQsaCD7jqT820MyeDv+t14b4gJCK+yTw2zGSFLZbglS8 mViSn8gZi9JQK2piSwdSn4RrW7KDiA== =BXEO -----END PGP SIGNATURE-----
--G4ZtZBatJhoznAxiHPS4mloKULTcdYLzw--
--===============7065124198295641021== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============7065124198295641021==--
|