SB2019032302 - Information disclosure in firefox-esr (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-18506)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in proxy support implementation. When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing.

A remote attacker can trick the victim to visit a specially crafted website and gain unauthorized access to services or resources, exposed on user's system.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=5f4478599688e562154c7fc319b29c46f79083bf
• https://git.alpinelinux.org/aports/commit/?id=985780d336a595bbba269e8d1c32715d70dbee68