Date: Tue, 15 Nov 2016 22:02:54 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r426187 - head/security/vuxml Message-ID: <201611152202.uAFM2sSp082177@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Tue Nov 15 22:02:53 2016 New Revision: 426187 URL: https://svnweb.freebsd.org/changeset/ports/426187 Log: security/vuxml: add entry for r425098, r425099, r425470 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Nov 15 21:57:16 2016 (r426186) +++ head/security/vuxml/vuln.xml Tue Nov 15 22:02:53 2016 (r426187) @@ -58,6 +58,104 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="d1853110-07f4-4645-895b-6fd462ad0589"> + <topic>mozilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>50.0_1,1</lt></range> + </package> + <package> + <name>seamonkey</name> + <name>linux-seamonkey</name> + <range><lt>2.47</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>45.5.0,1</lt></range> + </package> + <package> + <name>linux-firefox</name> + <range><lt>45.5.0,2</lt></range> + </package> + <package> + <name>libxul</name> + <name>thunderbird</name> + <name>linux-thunderbird</name> + <range><lt>45.5.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mozilla Foundation reports:</p> + <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/">; + <p>CVE-2016-5289: Memory safety bugs fixed in Firefox 50</p> + <p>CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5</p> + <p>CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file</p> + <p>CVE-2016-5292: URL parsing causes crash</p> + <p>CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log h</p> + <p>CVE-2016-5294: Arbitrary target directory for result files of update process</p> + <p>CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM</p> + <p>CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1</p> + <p>CVE-2016-5297: Incorrect argument length checking in Javascript</p> + <p>CVE-2016-5298: SSL indicator can mislead the user about the real URL visited</p> + <p>CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an app</p> + <p>CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an a</p> + <p>CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file</p> + <p>CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat</p> + <p>CVE-2016-9064: Addons update must verify IDs match between current and new versions</p> + <p>CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen</p> + <p>CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler</p> + <p>CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore</p> + <p>CVE-2016-9068: heap-use-after-free in nsRefreshDriver</p> + <p>CVE-2016-9070: Sidebar bookmark can have reference to chrome window</p> + <p>CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP</p> + <p>CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile</p> + <p>CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"</p> + <p>CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler</p> + <p>CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges</p> + <p>CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s</p> + <p>CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing atta</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-5289</cvename> + <cvename>CVE-2016-5290</cvename> + <cvename>CVE-2016-5291</cvename> + <cvename>CVE-2016-5292</cvename> + <cvename>CVE-2016-5293</cvename> + <cvename>CVE-2016-5294</cvename> + <cvename>CVE-2016-5295</cvename> + <cvename>CVE-2016-5296</cvename> + <cvename>CVE-2016-5297</cvename> + <cvename>CVE-2016-5298</cvename> + <cvename>CVE-2016-5299</cvename> + <cvename>CVE-2016-9061</cvename> + <cvename>CVE-2016-9062</cvename> + <cvename>CVE-2016-9063</cvename> + <cvename>CVE-2016-9064</cvename> + <cvename>CVE-2016-9065</cvename> + <cvename>CVE-2016-9066</cvename> + <cvename>CVE-2016-9067</cvename> + <cvename>CVE-2016-9068</cvename> + <cvename>CVE-2016-9070</cvename> + <cvename>CVE-2016-9071</cvename> + <cvename>CVE-2016-9072</cvename> + <cvename>CVE-2016-9073</cvename> + <cvename>CVE-2016-9074</cvename> + <cvename>CVE-2016-9075</cvename> + <cvename>CVE-2016-9076</cvename> + <cvename>CVE-2016-9077</cvename> + <url>https://www.mozilla.org/security/advisories/mfsa2016-89/</url>; + <url>https://www.mozilla.org/security/advisories/mfsa2016-90/</url>; + </references> + <dates> + <discovery>2016-11-15</discovery> + <entry>2016-11-16</entry> + </dates> + </vuln> + <vuln vid="a8e9d834-a916-11e6-b9b4-bcaec524bf84"> <topic>lives -- insecure files permissions</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611152202.uAFM2sSp082177>