1. Ubuntu Security Notices
  2. USN-4122-1

USN-4122-1: Firefox vulnerabilities

Publication date

4 September 2019

Overview

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Releases

Packages

  • firefox - Mozilla Open Source web browser

Details

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to obtain sensitive information, bypass Content
Security Policy (CSP) protections, bypass same-origin restrictions,
conduct cross-site scripting (XSS) attacks, cause a denial of service, or
execute arbitrary code. (CVE-2019-5849, CVE-2019-11734, CVE-2019-11735,
CVE-2019-11737, CVE-2019-11738, CVE-2019-11740, CVE-2019-11742,
CVE-2019-11743, CVE-2019-11744, CVE-2019-11746,

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to obtain sensitive information, bypass Content
Security Policy (CSP) protections, bypass same-origin restrictions,
conduct cross-site scripting (XSS) attacks, cause a denial of service, or
execute arbitrary code. (CVE-2019-5849, CVE-2019-11734, CVE-2019-11735,
CVE-2019-11737, CVE-2019-11738, CVE-2019-11740, CVE-2019-11742,
CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11748,
CVE-2019-11749, CVE-2019-11750, CVE-2019-11752)

It was discovered that a compromised content process could log in to a
malicious Firefox Sync account. An attacker could potentially exploit
this, in combination with another vulnerability, to disable the sandbox.
(CVE-2019-9812)

It was discovered that addons.mozilla.org and accounts.firefox.com could
be loaded in to the same content process. An attacker could potentially
exploit this, in combination with another vulnerability that allowed a
cross-site scripting (XSS) attack, to modify browser settings.
(CVE-2019-11741)

It was discovered that the "Forget about this site" feature in the history
pane removes HTTP Strict Transport Security (HSTS) settings for sites on
the pre-load list. An attacker could potentially exploit this to bypass
the protections offered by HSTS. (CVE-2019-11747)

Update instructions

After a standard system update you need to restart Firefox to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
19.04 disco firefox –  69.0+build2-0ubuntu0.19.04.1
18.04 bionic firefox –  69.0+build2-0ubuntu0.18.04.1
16.04 xenial firefox –  69.0+build2-0ubuntu0.16.04.4

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›