Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jul 2019 01:16:04 +0000 (UTC)
From:      Jan Beich <jbeich@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r506328 - head/security/vuxml
Message-ID:  <201907100116.x6A1G4IS002664@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jbeich
Date: Wed Jul 10 01:16:04 2019
New Revision: 506328
URL: https://svnweb.freebsd.org/changeset/ports/506328

Log:
  security/vuxml: mark firefox < 68 as vulnerable

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Jul 10 01:10:02 2019	(r506327)
+++ head/security/vuxml/vuln.xml	Wed Jul 10 01:16:04 2019	(r506328)
@@ -58,6 +58,96 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="0592f49f-b3b8-4260-b648-d1718762656c">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>68.0_4,1</lt></range>
+      </package>
+      <package>
+	<name>waterfox</name>
+	<range><lt>56.2.12</lt></range>
+      </package>
+      <package>
+	<name>seamonkey</name>
+	<name>linux-seamonkey</name>
+	<range><lt>2.49.5</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>60.8.0,1</lt></range>
+      </package>
+      <package>
+	<name>linux-firefox</name>
+	<range><lt>60.8.0,2</lt></range>
+      </package>
+      <package>
+	<name>libxul</name>
+	<name>thunderbird</name>
+	<name>linux-thunderbird</name>
+	<range><lt>60.8.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Mozilla Foundation reports:</p>
+	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/">;
+	  <p>CVE-2019-9811: Sandbox escape via installation of malicious language pack</p>
+	  <p>CVE-2019-11711: Script injection within domain through inner window reuse</p>
+	  <p>CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects</p>
+	  <p>CVE-2019-11713: Use-after-free with HTTP/2 cached stream</p>
+	  <p>CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread</p>
+	  <p>CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault</p>
+	  <p>CVE-2019-11715: HTML parsing error can contribute to content XSS</p>
+	  <p>CVE-2019-11716: globalThis not enumerable until accessed</p>
+	  <p>CVE-2019-11717: Caret character improperly escaped in origins</p>
+	  <p>CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML</p>
+	  <p>CVE-2019-11719: Out-of-bounds read when importing curve25519 private key</p>
+	  <p>CVE-2019-11720: Character encoding XSS vulnerability</p>
+	  <p>CVE-2019-11721: Domain spoofing through unicode latin 'kra' character</p>
+	  <p>CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin</p>
+	  <p>CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries</p>
+	  <p>CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions</p>
+	  <p>CVE-2019-11725: Websocket resources bypass safebrowsing protections</p>
+	  <p>CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3</p>
+	  <p>CVE-2019-11728: Port scanning through Alt-Svc header</p>
+	  <p>CVE-2019-11710: Memory safety bugs fixed in Firefox 68</p>
+	  <p>CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-11709</cvename>
+      <cvename>CVE-2019-11710</cvename>
+      <cvename>CVE-2019-11711</cvename>
+      <cvename>CVE-2019-11712</cvename>
+      <cvename>CVE-2019-11713</cvename>
+      <cvename>CVE-2019-11714</cvename>
+      <cvename>CVE-2019-11715</cvename>
+      <cvename>CVE-2019-11716</cvename>
+      <cvename>CVE-2019-11717</cvename>
+      <cvename>CVE-2019-11718</cvename>
+      <cvename>CVE-2019-11719</cvename>
+      <cvename>CVE-2019-11720</cvename>
+      <cvename>CVE-2019-11721</cvename>
+      <cvename>CVE-2019-11723</cvename>
+      <cvename>CVE-2019-11724</cvename>
+      <cvename>CVE-2019-11725</cvename>
+      <cvename>CVE-2019-11727</cvename>
+      <cvename>CVE-2019-11728</cvename>
+      <cvename>CVE-2019-11729</cvename>
+      <cvename>CVE-2019-11730</cvename>
+      <cvename>CVE-2019-9811</cvename>
+      <url>https://www.mozilla.org/security/advisories/mfsa2019-21/</url>;
+      <url>https://www.mozilla.org/security/advisories/mfsa2019-22/</url>;
+    </references>
+    <dates>
+      <discovery>2019-07-09</discovery>
+      <entry>2019-07-09</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="23f65f58-a261-11e9-b444-002590acae31">
     <topic>GnuPG -- denial of service</topic>
     <affects>
@@ -653,6 +743,10 @@ Notes:
 	<range><lt>67.0.4,1</lt></range>
       </package>
       <package>
+	<name>waterfox</name>
+	<range><lt>56.2.12</lt></range>
+      </package>
+      <package>
 	<name>firefox-esr</name>
 	<range><lt>60.7.2,1</lt></range>
       </package>
@@ -678,6 +772,7 @@ Notes:
     <dates>
       <discovery>2019-06-20</discovery>
       <entry>2019-06-21</entry>
+      <modified>2019-07-09</modified>
     </dates>
   </vuln>
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907100116.x6A1G4IS002664>