-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4668
     MFSA 2022-41 Security Vulnerabilities fixed in Firefox ESR 102.3
                             21 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Firefox ESR
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-40962 CVE-2022-40960 CVE-2022-40959
                   CVE-2022-40958 CVE-2022-40957 CVE-2022-40956

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-41

Security Vulnerabilities fixed in Firefox ESR 102.3

Announced: September 20, 2022
Impact:    high
Products:  Firefox ESR
Fixed in:  Firefox ESR 102.3

# CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages

Reporter: Armin Ebert
Impact:   high

Description

During iframe navigation, certain pages did not have their FeaturePolicy fully
initialized leading to a bypass that leaked device permissions into untrusted
subdocuments.

References

  o Bug 1782211

# CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads

Reporter: Armin Ebert
Impact:   high

Description

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This
could lead to a use-after-free causing a potentially exploitable crash.

References

  o Bug 1787633

# CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix

Reporter: Axel Chong (@Haxatron)
Impact:   moderate

Description

By injecting a cookie with certain special characters, an attacker on a shared
subdomain which is not a secure context could set and thus overwrite cookies
from a secure context, leading to session fixation and other attacks.

References

  o Bug 1779993

# CVE-2022-40956: Content-Security-Policy base-uri bypass

Reporter: Satoki Tsuji
Impact:   low

Description

When injecting an HTML base element, some requests would ignore the CSP's
base-uri settings and accept the injected element's base instead.

References

  o Bug 1770094

# CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64

Reporter: Gary Kwong
Impact:   low

Description

Inconsistent data in instruction and data cache when creating wasm code could
lead to a potentially exploitable crash.
This bug only affects Firefox on ARM64 platforms.

References

  o Bug 1777604

# CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

Reporter: Mozilla developers and community
Impact:   high

Description

Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian
Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety
bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code.

References

  o Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYyp5LckNZI30y1K9AQiVNw/9E+zM0P0V6E0PMo76QwKHDm+SPSgmagUy
40aoLUPCaskloXM7NRneMqUBBHvyGbrlwvsj3azW5cGzflT15LPJzxiFF/ARB5SS
z7mEUbMSmHVpN2uzZ3HnSc2AWFdEXNRylb/W0XoAs1S4Ho1er6CdezpDKBP7BV32
giOy1uXm0MdqE6vgybhw8Ov6Mv1o9EmSNtsxmL2Os3dmBld2gjEMJKebcPFD17vu
/9Tl5dmIzAmrSY7HwuBXY2jrFo9IKpz3sMuM4P7dOvDr53LMYlMxYWkaqAzU1kZA
ZicJk7LesSNoOV5jGnKAoKMeotI8FWJMdudSDzqPnVZefrQbrooVO4Yb8Ft13IhD
E6Bvykin9R0cOJs3MPRihMF1w1kRGr9cd3KgzpyMetrcShxQMft8lKNpFt03P9EF
Y6Kl+MsdCfAXf4z26/ZEf9gCju784rf28oejjDGWXba88d4By1od5V5FwkvqaPKK
73uLWp0PwBw4ApKWD2BFpH0qXEFBxPRP/mfZrR4gVcPVS+P0dInR4WlzLrz3pqcl
An1fy8E3fye9A5VgwEv/wAtgZM4e0rlyd/4py+z06IWL7suJVotFkFslB2cCitPU
7uVQ2TVZAz24+Y1340Z7yxT8bdDyMQjyqrgyixmySbp+zqn0x72Q10DDyWjAwm9g
cNhZA12AWDg=
=80cx
-----END PGP SIGNATURE-----