CVE-2023-4583

Name	CVE-2023-4583
Description	When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	132.0.2-1	fixed
firefox-esr (PTS)	jessie, jessie (lts)	68.9.0esr-1~deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	91.11.0esr-1~deb9u1	vulnerable
	buster (security), buster, buster (lts)	115.12.0esr-1~deb10u1	fixed
	bullseye	115.14.0esr-1~deb11u1	fixed
	bullseye (security)	128.4.0esr-1~deb11u1	fixed
	bookworm	128.3.1esr-1~deb12u1	fixed
	bookworm (security)	128.4.0esr-1~deb12u1	fixed
	sid, trixie	128.4.0esr-1	fixed
thunderbird (PTS)	jessie, jessie (lts)	1:68.9.0-1~deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	1:91.10.0-1~deb9u1	vulnerable
	buster (security), buster, buster (lts)	1:115.12.0-1~deb10u1	fixed
	bullseye	1:115.12.0-1~deb11u1	fixed
	bullseye (security)	1:128.4.3esr-1~deb11u1	fixed
	bookworm	1:115.16.0esr-1~deb12u1	fixed
	bookworm (security)	1:128.4.3esr-1~deb12u1	fixed
	sid, trixie	1:128.4.3esr-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
firefox	source	(unstable)	117.0-1
firefox-esr	source	jessie	(unfixed)	end-of-life
firefox-esr	source	stretch	(unfixed)	end-of-life
firefox-esr	source	buster	(not affected)
firefox-esr	source	bullseye	(not affected)
firefox-esr	source	bookworm	(not affected)
firefox-esr	source	(unstable)	115.2.0esr-1
thunderbird	source	jessie	(unfixed)	end-of-life
thunderbird	source	stretch	(unfixed)	end-of-life
thunderbird	source	buster	(not affected)
thunderbird	source	bullseye	(not affected)
thunderbird	source	bookworm	(not affected)
thunderbird	source	(unstable)	1:115.2.0-1

Notes

[bookworm] - firefox-esr <not-affected> (ESR 102 not affected)
[bullseye] - firefox-esr <not-affected> (ESR 102 not affected)
[buster] - firefox-esr <not-affected> (ESR 102 not affected)
[bookworm] - thunderbird <not-affected> (ESR 102 not affected)
[bullseye] - thunderbird <not-affected> (ESR 102 not affected)
[buster] - thunderbird <not-affected> (ESR 102 not affected)
https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/#CVE-2023-4583
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4583
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4583