This issue was fixed in Thunderbird 24.3.0.1, ESR 24.3.0.1, and Firefox 27.0.1. If you are running any version of these further releases, you should update as soon as possible.

Additionally, the Mozilla Fuzzing Team found several issues in Firefox’s code generator that could lead to a Remote Code Execution (RCE) attack. These issues were fixed in Firefox ESR 24.3.0.1 and Firefox 27.0.1. If you are using either of these further releases, you should update as soon as possible.

Last but not least, Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich reported a ton of memory safety issues in Firefox. These issues were fixed in Firefox ESR 24.3.0.1, Firefox 27.0.1, and Firefox versions after these. If you are using any of these releases, you should update as soon as possible. For more information about the security fixes in these versions, see the official release notes.

Mozilla recommends updating ASAP

As soon as possible, which in this case means updating to Firefox 27.0.1 and ESR 24.3.0.1 for now, as these releases contain the following security fixes:
- CVE-2022-29917: This issue was fixed in Thunderbird 24.3.0.1, ESR 24.3.0.1, and Firefox 27.0 of May 5, 2016;
- CVE-2020-9027: This issue was fixed in Thunderbird 24 - Thunderbird 45 of November 12, 2015;
- CVE-2018-12376: This issue was fixed in Firefox 22 of March 23, 2017;
- CVE-2018-12377: This issue was fixed in Firefox 23 of March 23, 2017;
- CVE-2018-12378: This issue was fixed in Firefox 26 of March 23, 2017;
- CVE-2018 12379: These issues were fixed in Firefox 27 of May 5th, 2017;
- CVE 2019 -18496 and 2019 -18499: This issue was fixed by Mozilla on June 4th, 2019

Firefox ESR 24.3.0 .1

Mozilla released Firefox ESR 24.3.0.1 with security fixes to address these critical issues. If you are using any version of Firefox ESR, you should update as soon as possible. For more information about the security fixes in this release, see the official release notes.

Installation of security updates

You should always keep your operating system and software up-to-date to avoid security issues. If you are running a recent version of Firefox, upgrading to the latest version is recommended. For Thunderbird, follow the instructions on our download page; for ESR, see https://www.mozilla.org/en-US/firefox/organizations/all/.

If you cannot update Firefox or Thunderbird, or if you need to downgrade before installing a new version, you can use the Mozilla Maintenance Service instead.

Mozilla Firefox ESR 24.3.0.1

Mozilla Firefox ESR 24.3.0.1 is Mozilla’s second extended support release on the Extended Support Release channel and is now available to download in various languages and with various localization options for Windows, Mac, and Linux platforms. This release also includes security fixes and stability improvements as described below:

- CVE-2022-29917: Multiple memory safety issues found in the code generator in Firefox version 24
- CVE-2022-29918: Out of bounds read vulnerability found in the code generator in Firefox version 24
- CVE-2022-29919: Memory safety issue found in libstagefright in Firefox version 24
- CVE-2022-29920: Heap overflow vulnerability found in libstagefright in Firefox version 24
Additional information about these vulnerabilities can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=CVE ids=CVE 2022 29917,CVE 2022 29918,CVE 2022 29919,CVE 2022 29920

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 22:12:00 UTC

References