Bug 1149299 (CVE-2019-11740) - VUL-0: CVE-2019-11740: MozillaFirefox,MozillaThunderbird: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
Summary: VUL-0: CVE-2019-11740: MozillaFirefox,MozillaThunderbird: Memory safety bugs ...
Status: RESOLVED FIXED
Alias: CVE-2019-11740
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/241679/
Whiteboard:
Keywords:
Depends on: 1149323 1149324 1152848
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-04 06:49 UTC by Alexander Bergmann
Modified: 2022-09-06 16:42 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-04 06:49:35 UTC 
CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

Reporter   Mozilla developers and community
Impact     high

Description
Mozilla developers and community members Tyson Smith and Nathan Froyd reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11740
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
https://bugzilla.redhat.com/show_bug.cgi?id=1748652
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11740
Comment 3 Swamp Workflow Management 2019-09-17 19:19:24 UTC 
SUSE-SU-2019:14173-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1145550,1149294,1149295,1149296,1149297,1149298,1149299,1149303
CVE References: CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11753,CVE-2019-9812
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-60.9.0esr-78.46.2, firefox-glib2-2.54.3-2.11.1, firefox-gtk3-3.10.9-2.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-09-23 16:11:43 UTC 
SUSE-SU-2019:2436-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1149294,1149295,1149296,1149297,1149298,1149299,1149303,1149304,1149324
CVE References: CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11753,CVE-2019-9812
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Enterprise Storage 5 (src):    MozillaFirefox-60.9.0-109.86.1
SUSE Enterprise Storage 4 (src):    MozillaFirefox-60.9.0-109.86.1
HPE Helion Openstack 8 (src):    MozillaFirefox-60.9.0-109.86.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-10-02 16:28:20 UTC 
SUSE-SU-2019:2515-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.1.1-3.51.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-68.1.1-3.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-10-03 19:13:11 UTC 
SUSE-SU-2019:2545-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    MozillaFirefox-68.1.0-3.54.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    MozillaFirefox-68.1.0-3.54.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-68.1.0-3.54.2, MozillaFirefox-branding-SLE-68-4.8.5
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    MozillaFirefox-68.1.0-3.54.2, MozillaFirefox-branding-SLE-68-4.8.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-10-04 16:24:15 UTC 
openSUSE-SU-2019:2249-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.1.1-lp151.2.13.1, enigmail-2.1.2-lp151.2.6.1
Comment 12 Swamp Workflow Management 2019-10-04 16:28:13 UTC 
openSUSE-SU-2019:2248-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.0 (src):    MozillaThunderbird-68.1.1-lp150.3.51.1, enigmail-2.1.2-lp150.34.1
Comment 13 Swamp Workflow Management 2019-10-05 04:13:15 UTC 
openSUSE-SU-2019:2251-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-68.1.0-lp151.2.14.1
Comment 14 Swamp Workflow Management 2019-10-06 13:21:05 UTC 
openSUSE-SU-2019:2260-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
openSUSE Leap 15.0 (src):    MozillaFirefox-68.1.0-lp150.3.66.1
Comment 15 Alexandros Toptsoglou 2020-02-04 14:42:51 UTC 
Closing