From owner-svn-ports-all@freebsd.org Thu Apr 20 02:24:47 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44135D4747D; Thu, 20 Apr 2017 02:24:47 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1F4F9136; Thu, 20 Apr 2017 02:24:47 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3K2Okp0034236; Thu, 20 Apr 2017 02:24:46 GMT (envelope-from jbeich@FreeBSD.org) Received: (from jbeich@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3K2OkFO034234; Thu, 20 Apr 2017 02:24:46 GMT (envelope-from jbeich@FreeBSD.org) Message-Id: <201704200224.v3K2OkFO034234@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jbeich set sender to jbeich@FreeBSD.org using -f From: Jan Beich Date: Thu, 20 Apr 2017 02:24:46 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r438922 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 02:24:47 -0000 Author: jbeich Date: Thu Apr 20 02:24:45 2017 New Revision: 438922 URL: https://svnweb.freebsd.org/changeset/ports/438922 Log: security/vuxml: mark firefox < 53 as vulnerable Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Apr 20 02:19:48 2017 (r438921) +++ head/security/vuxml/vuln.xml Thu Apr 20 02:24:45 2017 (r438922) @@ -58,6 +58,136 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mozilla -- multiple vulnerabilities + + + firefox + 53.0_2,1 + + + seamonkey + linux-seamonkey + 2.50 + + + firefox-esr + 46.0,152.1.0_2,1 + 45.9.0,1 + + + linux-firefox + 46.0,252.1.0,2 + 45.9.0,2 + + + libxul + 46.052.1.0 + 45.9.0 + + + thunderbird + linux-thunderbird + 46.052.1.0 + 45.9.0 + + + + +

Mozilla Foundation reports:

+
+

CVE-2017-5433: Use-after-free in SMIL animation functions

+

CVE-2017-5435: Use-after-free during transaction processing in the editor

+

CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2

+

CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS

+

CVE-2017-5459: Buffer overflow in WebGL

+

CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL

+

CVE-2017-5434: Use-after-free during focus handling

+

CVE-2017-5432: Use-after-free in text input selection

+

CVE-2017-5460: Use-after-free in frame selection

+

CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing

+

CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing

+

CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing

+

CVE-2017-5441: Use-after-free with selection during scroll events

+

CVE-2017-5442: Use-after-free during style changes

+

CVE-2017-5464: Memory corruption with accessibility and DOM manipulation

+

CVE-2017-5443: Out-of-bounds write during BinHex decoding

+

CVE-2017-5444: Buffer overflow while parsing application/http-index-format content

+

CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data

+

CVE-2017-5447: Out-of-bounds read during glyph processing

+

CVE-2017-5465: Out-of-bounds read in ConvolvePixel

+

CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor

+

CVE-2017-5437: Vulnerabilities in Libevent library

+

CVE-2017-5454: Sandbox escape allowing file system read access through file picker

+

CVE-2017-5455: Sandbox escape through internal feed reader APIs

+

CVE-2017-5456: Sandbox escape allowing local file system access

+

CVE-2017-5469: Potential Buffer overflow in flex-generated code

+

CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content

+

CVE-2017-5449: Crash during bidirectional unicode manipulation with animation

+

CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android

+

CVE-2017-5451: Addressbar spoofing with onblur event

+

CVE-2017-5462: DRBG flaw in NSS

+

CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android

+

CVE-2017-5467: Memory corruption when drawing Skia content

+

CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android

+

CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element

+

CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS

+

CVE-2017-5468: Incorrect ownership model for Private Browsing information

+

CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1

+

CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

+
+ +
+ + CVE-2017-5433 + CVE-2017-5435 + CVE-2017-5436 + CVE-2017-5461 + CVE-2017-5459 + CVE-2017-5466 + CVE-2017-5434 + CVE-2017-5432 + CVE-2017-5460 + CVE-2017-5438 + CVE-2017-5439 + CVE-2017-5440 + CVE-2017-5441 + CVE-2017-5442 + CVE-2017-5464 + CVE-2017-5443 + CVE-2017-5444 + CVE-2017-5446 + CVE-2017-5447 + CVE-2017-5465 + CVE-2017-5448 + CVE-2017-5437 + CVE-2017-5454 + CVE-2017-5455 + CVE-2017-5456 + CVE-2017-5469 + CVE-2017-5445 + CVE-2017-5449 + CVE-2017-5450 + CVE-2017-5451 + CVE-2017-5462 + CVE-2017-5463 + CVE-2017-5467 + CVE-2017-5452 + CVE-2017-5453 + CVE-2017-5458 + CVE-2017-5468 + CVE-2017-5430 + CVE-2017-5429 + https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/ + https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/ + https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/ + + + 2017-04-19 + 2017-04-19 + +
+ MySQL -- mulitiple vulnerabilities