Arch Linux Security Advisory ASA-202002-5 ========================================= Severity: Critical Date : 2020-02-11 CVE-ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800 CVE-2020-6801 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1096 Summary ======= The package firefox before version 73.0-1 is vulnerable to multiple issues including arbitrary code execution and cross-site scripting. Resolution ========== Upgrade to 73.0-1. # pacman -Syu "firefox>=73.0-1" The problems have been fixed upstream in version 73.0. Workaround ========== None. Description =========== - CVE-2020-6796 (arbitrary code execution) A missing bounds check on shared memory read in the parent process has been found in Firefox before 73.0. A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. - CVE-2020-6798 (cross-site scripting) An incorrect parsing of template could result in Javascript injection in Firefox before 73.0 and Thunderbird before 68.5. If a