Date: Tue, 8 Mar 2016 20:41:25 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r410659 - head/security/vuxml Message-ID: <201603082041.u28KfPP1015241@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Tue Mar 8 20:41:24 2016 New Revision: 410659 URL: https://svnweb.freebsd.org/changeset/ports/410659 Log: Move brotli to its own entry Modified: head/security/vuxml/vuln.xml (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Mar 8 20:40:00 2016 (r410658) +++ head/security/vuxml/vuln.xml Tue Mar 8 20:41:24 2016 (r410659) @@ -58,6 +58,70 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="1bcfd963-e483-41b8-ab8e-bad5c3ce49c9"> + <topic>brotli -- buffer overflow</topic> + <affects> + <package> + <name>brotli</name> + <name>libbrotli</name> + <range><lt>0.4.0</lt></range> + </package> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>48.0.2564.109</lt></range> + </package> + <package> + <name>firefox</name> + <name>linux-firefox</name> + <range><lt>45.0,1</lt></range> + </package> + <package> + <name>seamonkey</name> + <name>linux-seamonkey</name> + <range><lt>2.42</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>38.7.0,1</lt></range> + </package> + <package> + <name>libxul</name> + <name>thunderbird</name> + <name>linux-thunderbird</name> + <range><lt>38.7.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html"> + <p>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.</p> + </blockquote> + <p>Mozilla Foundation reports:</p> + <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/"> + <p>Security researcher Luke Li reported a pointer underflow + bug in the Brotli library's decompression that leads to a + buffer overflow. This results in a potentially exploitable + crash when triggered.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1624</cvename> + <cvename>CVE-2016-1968</cvename> + <url>https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade</url> + <url>https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/</url> + <url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url> + <url>https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e</url> + </references> + <dates> + <discovery>2016-02-08</discovery> + <entry>2016-03-08</entry> + </dates> + </vuln> + <vuln vid="2225c5b4-1e5a-44fc-9920-b3201c384a15"> <topic>mozilla -- multiple vulnerabilities</topic> <affects> @@ -112,7 +176,6 @@ Notes: <p>MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore</p> - <p>MFSA 2016-30 Buffer overflow in Brotli decompression</p> <p>MFSA 2016-31 Memory corruption with malicious NPAPI plugin</p> <p>MFSA 2016-32 WebRTC and LibVPX vulnerabilities found @@ -141,7 +204,6 @@ Notes: <cvename>CVE-2016-1965</cvename> <cvename>CVE-2016-1966</cvename> <cvename>CVE-2016-1967</cvename> - <cvename>CVE-2016-1968</cvename> <cvename>CVE-2016-1970</cvename> <cvename>CVE-2016-1971</cvename> <cvename>CVE-2016-1972</cvename> @@ -163,7 +225,6 @@ Notes: <url>https://www.mozilla.org/security/advisories/mfsa2016-27/</url> <url>https://www.mozilla.org/security/advisories/mfsa2016-28/</url> <url>https://www.mozilla.org/security/advisories/mfsa2016-29/</url> - <url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url> <url>https://www.mozilla.org/security/advisories/mfsa2016-31/</url> <url>https://www.mozilla.org/security/advisories/mfsa2016-32/</url> <url>https://www.mozilla.org/security/advisories/mfsa2016-33/</url> @@ -172,6 +233,7 @@ Notes: <dates> <discovery>2016-03-08</discovery> <entry>2016-03-08</entry> + <modified>2016-03-08</modified> </dates> </vuln> @@ -2151,8 +2213,6 @@ Notes: Credit to anonymous.</li> <li>[577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.</li> - <li>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit - to lukezli.</li> <li>[509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.</li> <li>[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. @@ -2166,7 +2226,6 @@ Notes: <references> <cvename>CVE-2016-1622</cvename> <cvename>CVE-2016-1623</cvename> - <cvename>CVE-2016-1624</cvename> <cvename>CVE-2016-1625</cvename> <cvename>CVE-2016-1626</cvename> <cvename>CVE-2016-1627</cvename> @@ -2175,6 +2234,7 @@ Notes: <dates> <discovery>2016-02-08</discovery> <entry>2016-02-09</entry> + <modified>2016-03-08</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603082041.u28KfPP1015241>