Arch Linux Security Advisory ASA-202106-3 ========================================= Severity: High Date : 2021-06-01 CVE-ID : CVE-2021-29959 CVE-2021-29960 CVE-2021-29961 CVE-2021-29966 CVE-2021-29967 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2018 Summary ======= The package firefox before version 89.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure and access restriction bypass. Resolution ========== Upgrade to 89.0-1. # pacman -Syu "firefox>=89.0-1" The problems have been fixed upstream in version 89.0. Workaround ========== None. Description =========== - CVE-2021-29959 (access restriction bypass) When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re- enabling the camera. - CVE-2021-29960 (information disclosure) Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. - CVE-2021-29961 (content spoofing) When styling and rendering an oversized `