From owner-svn-ports-all@freebsd.org Tue Mar 7 18:13:24 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7F53D0299B; Tue, 7 Mar 2017 18:13:24 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 966081275; Tue, 7 Mar 2017 18:13:24 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v27IDNx9086747; Tue, 7 Mar 2017 18:13:23 GMT (envelope-from jbeich@FreeBSD.org) Received: (from jbeich@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v27IDNR7086746; Tue, 7 Mar 2017 18:13:23 GMT (envelope-from jbeich@FreeBSD.org) Message-Id: <201703071813.v27IDNR7086746@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jbeich set sender to jbeich@FreeBSD.org using -f From: Jan Beich Date: Tue, 7 Mar 2017 18:13:23 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r435627 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 18:13:24 -0000 Author: jbeich Date: Tue Mar 7 18:13:23 2017 New Revision: 435627 URL: https://svnweb.freebsd.org/changeset/ports/435627 Log: security/vuxml: mark firefox < 52 as vulnerable Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Mar 7 18:01:14 2017 (r435626) +++ head/security/vuxml/vuln.xml Tue Mar 7 18:13:23 2017 (r435627) @@ -58,6 +58,113 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mozilla -- multiple vulnerabilities + + + firefox + 52.0_1,1 + + + seamonkey + linux-seamonkey + 2.49 + + + firefox-esr + 46.0,152.0,1 + 45.8.0_1,1 + + + linux-firefox + 46.0,252.0,2 + 45.8.0_1,2 + + + libxul + 46.052.0 + 45.8.0_1 + + + thunderbird + linux-thunderbird + 46.052.0 + 45.8.0 + + + + +

Mozilla Foundation reports:

+
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
+
CVE-2017-5401: Memory Corruption when handling ErrorResult
+
CVE-2017-5402: Use-after-free working with events in FontFace objects
+
CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
+
CVE-2017-5404: Use-after-free working with ranges in selections
+
CVE-2017-5406: Segmentation fault in Skia with canvas operations
+
CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
+
CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
+
CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
+
CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
+
CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
+
CVE-2017-5412: Buffer overflow read in SVG filters
+
CVE-2017-5413: Segmentation fault during bidirectional operations
+
CVE-2017-5414: File picker can choose incorrect default directory
+
CVE-2017-5415: Addressbar spoofing through blob URL
+
CVE-2017-5416: Null dereference crash in HttpChannel
+
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
+
CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
+
CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
+
CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
+
CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
+
CVE-2017-5419: Repeated authentication prompts lead to DOS attack
+
CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
+
CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
+
CVE-2017-5421: Print preview spoofing
+
CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
+
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
+
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
+

+ + + + CVE-2017-5400 + CVE-2017-5401 + CVE-2017-5402 + CVE-2017-5403 + CVE-2017-5404 + CVE-2017-5406 + CVE-2017-5407 + CVE-2017-5410 + CVE-2017-5411 + CVE-2017-5409 + CVE-2017-5408 + CVE-2017-5412 + CVE-2017-5413 + CVE-2017-5414 + CVE-2017-5415 + CVE-2017-5416 + CVE-2017-5417 + CVE-2017-5425 + CVE-2017-5426 + CVE-2017-5427 + CVE-2017-5418 + CVE-2017-5419 + CVE-2017-5420 + CVE-2017-5405 + CVE-2017-5421 + CVE-2017-5422 + CVE-2017-5399 + CVE-2017-5398 + https://www.mozilla.org/security/advisories/mfsa2017-05/ + https://www.mozilla.org/security/advisories/mfsa2017-06/ + + + 2017-03-07 + 2017-03-07 + + + codeigniter -- multiple vulnerabilities