[SECURITY] [DSA 5509-1] firefox-esr security update

2023-09-2917:55:10

lists.debian.org

buffer overflow

mozilla firefox esr

vp8 media

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.245 Low

EPSS

Percentile

96.7%

JSON

Debian Security Advisory DSA-5509-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
September 29, 2023 https://www.debian.org/security/faq

Package : firefox-esr
CVE ID : CVE-2023-5217

A buffer overflow in VP8 media stream processing has been found in the
Mozilla Firefox web browser, which could potentially result in the
execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed
in version 115.3.1esr-1~deb11u1.

For the stable distribution (bookworm), this problem will be fixed
via the libvpx source package, Firefox ESR in Bookworm links dynamically
against libvpx.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian10alliceweasel-l10n-ta< 1:115.3.1esr-1~deb10u1iceweasel-l10n-ta_1:115.3.1esr-1~deb10u1_all.deb
Debian11amd64vpx-tools-dbgsym< 1.9.0-1+deb11u1vpx-tools-dbgsym_1.9.0-1+deb11u1_amd64.deb
Debian10allthunderbird-l10n-zh-cn< 1:115.3.1-1~deb10u1thunderbird-l10n-zh-cn_1:115.3.1-1~deb10u1_all.deb
Debian10arm64vpx-tools< 1.7.0-3+deb10u2vpx-tools_1.7.0-3+deb10u2_arm64.deb
Debian10allfirefox-esr-l10n-cs< 115.3.1esr-1~deb10u1firefox-esr-l10n-cs_115.3.1esr-1~deb10u1_all.deb
Debian10allthunderbird-l10n-fy-nl< 1:115.3.1-1~deb10u1thunderbird-l10n-fy-nl_1:115.3.1-1~deb10u1_all.deb
Debian12mips64elvpx-tools< 1.12.0-1+deb12u1vpx-tools_1.12.0-1+deb12u1_mips64el.deb
Debian11arm64chromium-dbgsym< 117.0.5938.132-1~deb11u1chromium-dbgsym_117.0.5938.132-1~deb11u1_arm64.deb
Debian10armhflibvpx-dev< 1.7.0-3+deb10u2libvpx-dev_1.7.0-3+deb10u2_armhf.deb
Debian10alliceweasel-l10n-trs< 1:115.3.1esr-1~deb10u1iceweasel-l10n-trs_1:115.3.1esr-1~deb10u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	iceweasel-l10n-ta	< 1:115.3.1esr-1~deb10u1	iceweasel-l10n-ta_1:115.3.1esr-1~deb10u1_all.deb
Debian	11	amd64	vpx-tools-dbgsym	< 1.9.0-1+deb11u1	vpx-tools-dbgsym_1.9.0-1+deb11u1_amd64.deb
Debian	10	all	thunderbird-l10n-zh-cn	< 1:115.3.1-1~deb10u1	thunderbird-l10n-zh-cn_1:115.3.1-1~deb10u1_all.deb
Debian	10	arm64	vpx-tools	< 1.7.0-3+deb10u2	vpx-tools_1.7.0-3+deb10u2_arm64.deb
Debian	10	all	firefox-esr-l10n-cs	< 115.3.1esr-1~deb10u1	firefox-esr-l10n-cs_115.3.1esr-1~deb10u1_all.deb
Debian	10	all	thunderbird-l10n-fy-nl	< 1:115.3.1-1~deb10u1	thunderbird-l10n-fy-nl_1:115.3.1-1~deb10u1_all.deb
Debian	12	mips64el	vpx-tools	< 1.12.0-1+deb12u1	vpx-tools_1.12.0-1+deb12u1_mips64el.deb
Debian	11	arm64	chromium-dbgsym	< 117.0.5938.132-1~deb11u1	chromium-dbgsym_117.0.5938.132-1~deb11u1_arm64.deb
Debian	10	armhf	libvpx-dev	< 1.7.0-3+deb10u2	libvpx-dev_1.7.0-3+deb10u2_armhf.deb
Debian	10	all	iceweasel-l10n-trs	< 1:115.3.1esr-1~deb10u1	iceweasel-l10n-trs_1:115.3.1esr-1~deb10u1_all.deb