Main Vulnerability Database SB2019052727

SB2019052727 - Race condition in firefox-esr (Alpine package)

Published: May 27, 2019

Security Bulletin ID SB2019052727

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: CVE-2019-9815)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to enabled hyperthreading in applications running untrusted code in a thread through a new sysctl on macOS. A remote attacker can perform timing attack, similar to previous Spectre attacks and execute arbitrary code on the target system.

The vulnerability affects macOS users.

For this mitigation to take effect, users must install macOS 10.14.5.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=19d91779a5cd79292c972f6acdf04ef87ed7379e
https://git.alpinelinux.org/aports/commit/?id=5d004d13d3cfbb28cda2846e1c88900d5a8d1040