CVE-2024-11699
Publication date 26 November 2024
Last updated 26 November 2024
Ubuntu priority
Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
Status
Package | Ubuntu Release | Status |
---|---|---|
firefox | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Vulnerable
|
|
mozjs102 | 24.10 oracular | Not in release |
24.04 LTS noble | Ignored | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
mozjs115 | 24.10 oracular | Ignored |
24.04 LTS noble | Ignored | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
mozjs38 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Needs evaluation
|
|
mozjs52 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored | |
18.04 LTS bionic | Ignored | |
mozjs68 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored | |
mozjs78 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
mozjs91 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
thunderbird | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Vulnerable
|
|
20.04 LTS focal |
Vulnerable
|
Notes
mdeslaur
mozjs* contain a copy of the SpiderMonkey JavaScript engine. It is not feasible to backport security fixes to the mozjs* packages, as such, marking them as ignored. starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap starting with Ubuntu 24.04, the thunderbird package is just a script that installs the Thunderbird snap
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-11699
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-63/#CVE-2024-11699
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-64/#CVE-2024-11699
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-68/#CVE-2024-11699
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911
- https://www.mozilla.org/security/advisories/mfsa2024-63/
- https://www.mozilla.org/security/advisories/mfsa2024-64/
- https://www.mozilla.org/security/advisories/mfsa2024-67/
- https://www.mozilla.org/security/advisories/mfsa2024-68/