I am trying to verify specifically which versions of Firefox are vulnerable to CVE-2024-8387.
I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?
모든 댓글 (4)
The Firefox 115.15.0esr is vulnerable yes however there has been Fx 115.16.0esr and Fx 115.16.1esr updates since Fx 115.15.0esr. There has also been Fx 128.3.0esr and Fx 128.3.1esr updates since the Fx 128.2.0esr you mentioned.
The older Firefox 115 ESR channel is planned to have updates till Fx 115.21.0esr in March 2025, though in early 2025 a decision will be made on whether to extend or not.
Fx 115.16.0esr: https://www.mozilla.org/security/advisories/mfsa2024-48/ Fx 115.16.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/ Fx 128.3.0esr: https://www.mozilla.org/security/advisories/mfsa2024-47/ Fx128.3.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/
https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ Firefox Release Notes: https://www.mozilla.org/firefox/releases/
The CVE-2024-8387 may have been a vulnerability found in later versions after Firefox 115.0 as to why it is not listed for any Firefox 115 ESR version. The Firefox 115.0 ESR is based on the Firefox 115.0 Release but with security/stability fixes since.
글쓴이 James 수정일시
I appreciate the report that CVE-2024-8387 has been patched, but I cannot find it expicitly mentioned in any of the patches for 115 ESR. What w need to know is, was 115.15 or earlier vulnerable (or to your point, was the functionality that was vulnerable made in a product update that was not changed until after the 115 ESR branch was split off).
Neither 115.16, 115.16.1 or any other advisories mention it. We cant assume it is or is not vulnerable as the NVD pages indicates all versions below 128.2, which implies that the only way to resolve it is to go to 128.2 ESR or higher.
See also:
글쓴이 cor-el 수정일시
Even the NVD site https://nvd.nist.gov/vuln/detail/CVE-2024-8387 can be seen as somewhat contradictory. the beginning of the description indicates only that "Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. " but then the last sentence indicates "This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2." with no lower bound. Does this mean that there is no ower bound, or is the initial text accurate , that the vulnerability is only with Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1? I am not trying to be difficult, just that I still haven't seen anything that puts a lower bound on the vulnerability. or whether the 115 ESR branch is impacted andd was then patched (as mentioned, none of the releases fr 115 ESR mention the vuln, but unclear if thats an oversight in not patching it, not documenting the patch is available, or that it was never vulnerable)
글에 답글을 달기 위해서는 계정으로 로그인해야만 합니다. 계정이 아직 없다면 새로운 질문을 올려주세요.