搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

I am trying to verify specifically which versions of Firefox are vulnerable to CVE-2024-8387.

more options

I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?

I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?

被選擇的解決方法

That CVE is a rollup of 3 separate bugs.

2 of them don't affect the 115 ESR.

1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.

Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.

從原來的回覆中察看解決方案 👍 2

所有回覆 (11)

more options

The Firefox 115.15.0esr is vulnerable yes however there has been Fx 115.16.0esr and Fx 115.16.1esr updates since Fx 115.15.0esr. There has also been Fx 128.3.0esr and Fx 128.3.1esr updates since the Fx 128.2.0esr you mentioned.

The older Firefox 115 ESR channel is planned to have updates till Fx 115.21.0esr in March 2025, though in early 2025 a decision will be made on whether to extend or not.

Fx 115.16.0esr: https://www.mozilla.org/security/advisories/mfsa2024-48/ Fx 115.16.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/ Fx 128.3.0esr: https://www.mozilla.org/security/advisories/mfsa2024-47/ Fx128.3.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/

https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ Firefox Release Notes: https://www.mozilla.org/firefox/releases/

The CVE-2024-8387 may have been a vulnerability found in later versions after Firefox 115.0 as to why it is not listed for any Firefox 115 ESR version. The Firefox 115.0 ESR is based on the Firefox 115.0 Release but with security/stability fixes since.

由 James 於 修改

有幫助嗎?

more options

I appreciate the report that CVE-2024-8387 has been patched, but I cannot find it expicitly mentioned in any of the patches for 115 ESR. What w need to know is, was 115.15 or earlier vulnerable (or to your point, was the functionality that was vulnerable made in a product update that was not changed until after the 115 ESR branch was split off).

Neither 115.16, 115.16.1 or any other advisories mention it. We cant assume it is or is not vulnerable as the NVD pages indicates all versions below 128.2, which implies that the only way to resolve it is to go to 128.2 ESR or higher.

有幫助嗎?

more options

由 cor-el 於 修改

有幫助嗎?

more options

Even the NVD site https://nvd.nist.gov/vuln/detail/CVE-2024-8387 can be seen as somewhat contradictory. the beginning of the description indicates only that "Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. " but then the last sentence indicates "This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2." with no lower bound. Does this mean that there is no ower bound, or is the initial text accurate , that the vulnerability is only with Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1? I am not trying to be difficult, just that I still haven't seen anything that puts a lower bound on the vulnerability. or whether the 115 ESR branch is impacted andd was then patched (as mentioned, none of the releases fr 115 ESR mention the vuln, but unclear if thats an oversight in not patching it, not documenting the patch is available, or that it was never vulnerable)

有幫助嗎?

more options

Any further insight from the Mozilla team?

It may seem like I am being stubborn in looking for clarification, but its really not clear just which versions of ESR are vulnerable, and whether all have been patched. It is very clear that 128.1 ESR was patched with 128.2, but unclear whether 115 ESR was vulnerable at some version, and if so, if any patches in ESR 115 resolve it, or if it requires the jump to ESR 128.2 or above, which seems contradictory to the ESR branch purpose.

有幫助嗎?

more options

I would assume that this is about code that landed in Firefox 129 and thus affected 128.1.0 ESR (released along with 129) and 128.2.0 and 130.0 have the fix (i.e. Firefox ESR meaning the current 128 ESR branch and not the earlier 115 ESR branch).

  • Memory safety bugs present in Firefox 129, Firefox ESR 128.1

有幫助嗎?

more options

That may be (and seems likely), but as Mozilla typically does not reference if vulnerabilities are in earlier versions of product, or make clear that this does NOT apply to ESR 115 due to it being caused by code changes in FireFox 129, how do we validate it truly did not impact ESR 115?

由 NoahSUMO 於 修改

有幫助嗎?

more options

Please understand I still need clear answer on whether this was strictly something that was introduced in 129 / 128.1.0 ESR, or was actually from earlier code impacting 115 ESR.

有幫助嗎?

more options

Hey Keith, I didn't forget about you. I was trying to contact someone higher up who would know exactly. As it gets tricky for us regular folks to figure out which security exploits affect ESR builds.

You just reminded me that Mike Kaply may know this answer or be able to reach the right security engineer to get a clear answer.

有幫助嗎?

more options

I appreciate the continued investigation. If I could get directly to the security engineers I would be happy to chase it down there, but for end users and security teams where products are deployed, its important to know where the risk originates, and unfortunately, advisories often just aren't explicit enough.

有幫助嗎?

more options

選擇的解決方法

That CVE is a rollup of 3 separate bugs.

2 of them don't affect the 115 ESR.

1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.

Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先登入帳號 來回覆文章。還沒有帳號的話,只能發問新問題