Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

I am trying to verify specifically which versions of Firefox are vulnerable to CVE-2024-8387.

  • 11 답장
  • 0 이 문제를 만남
  • 71 보기
  • 최종 답변자: Mike Kaply

more options

I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?

I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?

선택된 해결법

That CVE is a rollup of 3 separate bugs.

2 of them don't affect the 115 ESR.

1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.

Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.

문맥에 따라 이 답변을 읽어주세요 👍 2

모든 댓글 (11)

more options

The Firefox 115.15.0esr is vulnerable yes however there has been Fx 115.16.0esr and Fx 115.16.1esr updates since Fx 115.15.0esr. There has also been Fx 128.3.0esr and Fx 128.3.1esr updates since the Fx 128.2.0esr you mentioned.

The older Firefox 115 ESR channel is planned to have updates till Fx 115.21.0esr in March 2025, though in early 2025 a decision will be made on whether to extend or not.

Fx 115.16.0esr: https://www.mozilla.org/security/advisories/mfsa2024-48/ Fx 115.16.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/ Fx 128.3.0esr: https://www.mozilla.org/security/advisories/mfsa2024-47/ Fx128.3.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/

https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ Firefox Release Notes: https://www.mozilla.org/firefox/releases/

The CVE-2024-8387 may have been a vulnerability found in later versions after Firefox 115.0 as to why it is not listed for any Firefox 115 ESR version. The Firefox 115.0 ESR is based on the Firefox 115.0 Release but with security/stability fixes since.

글쓴이 James 수정일시

도움이 되셨습니까?

more options

I appreciate the report that CVE-2024-8387 has been patched, but I cannot find it expicitly mentioned in any of the patches for 115 ESR. What w need to know is, was 115.15 or earlier vulnerable (or to your point, was the functionality that was vulnerable made in a product update that was not changed until after the 115 ESR branch was split off).

Neither 115.16, 115.16.1 or any other advisories mention it. We cant assume it is or is not vulnerable as the NVD pages indicates all versions below 128.2, which implies that the only way to resolve it is to go to 128.2 ESR or higher.

도움이 되셨습니까?

more options

글쓴이 cor-el 수정일시

도움이 되셨습니까?

more options

Even the NVD site https://nvd.nist.gov/vuln/detail/CVE-2024-8387 can be seen as somewhat contradictory. the beginning of the description indicates only that "Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. " but then the last sentence indicates "This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2." with no lower bound. Does this mean that there is no ower bound, or is the initial text accurate , that the vulnerability is only with Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1? I am not trying to be difficult, just that I still haven't seen anything that puts a lower bound on the vulnerability. or whether the 115 ESR branch is impacted andd was then patched (as mentioned, none of the releases fr 115 ESR mention the vuln, but unclear if thats an oversight in not patching it, not documenting the patch is available, or that it was never vulnerable)

도움이 되셨습니까?

more options

Any further insight from the Mozilla team?

It may seem like I am being stubborn in looking for clarification, but its really not clear just which versions of ESR are vulnerable, and whether all have been patched. It is very clear that 128.1 ESR was patched with 128.2, but unclear whether 115 ESR was vulnerable at some version, and if so, if any patches in ESR 115 resolve it, or if it requires the jump to ESR 128.2 or above, which seems contradictory to the ESR branch purpose.

도움이 되셨습니까?

more options

I would assume that this is about code that landed in Firefox 129 and thus affected 128.1.0 ESR (released along with 129) and 128.2.0 and 130.0 have the fix (i.e. Firefox ESR meaning the current 128 ESR branch and not the earlier 115 ESR branch).

  • Memory safety bugs present in Firefox 129, Firefox ESR 128.1

도움이 되셨습니까?

more options

That may be (and seems likely), but as Mozilla typically does not reference if vulnerabilities are in earlier versions of product, or make clear that this does NOT apply to ESR 115 due to it being caused by code changes in FireFox 129, how do we validate it truly did not impact ESR 115?

글쓴이 NoahSUMO 수정일시

도움이 되셨습니까?

more options

Please understand I still need clear answer on whether this was strictly something that was introduced in 129 / 128.1.0 ESR, or was actually from earlier code impacting 115 ESR.

도움이 되셨습니까?

more options

Hey Keith, I didn't forget about you. I was trying to contact someone higher up who would know exactly. As it gets tricky for us regular folks to figure out which security exploits affect ESR builds.

You just reminded me that Mike Kaply may know this answer or be able to reach the right security engineer to get a clear answer.

도움이 되셨습니까?

more options

I appreciate the continued investigation. If I could get directly to the security engineers I would be happy to chase it down there, but for end users and security teams where products are deployed, its important to know where the risk originates, and unfortunately, advisories often just aren't explicit enough.

도움이 되셨습니까?

more options

선택된 해결법

That CVE is a rollup of 3 separate bugs.

2 of them don't affect the 115 ESR.

1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.

Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.

도움이 되셨습니까?

질문하기

글에 답글을 달기 위해서는 계정으로 로그인해야만 합니다. 계정이 아직 없다면 새로운 질문을 올려주세요.