FreeBSD Mail Archives

Date:      Fri, 30 Aug 2024 08:34:35 +0200
From:      =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org>
To:        Ronald Klop <ronald-lists@klop.ws>
Cc:        ports-committers@freebsd.org, dev-commits-ports-main@freebsd.org,  dev-commits-ports-all@freebsd.org
Subject:   Re: git: 4453cf7eef05 - main - security/vuxml: Record firefox multiple vulnerabilites
Message-ID:  <CAGwOe2Z8b%2B11dSVgRmXFTSND_PmcvJJ9CYdd9qWffWEhsCmefw@mail.gmail.com>
In-Reply-To: <1673063164.6537.1724964124887@localhost>
References:  <202408291747.47THltnT050010@gitrepo.freebsd.org> <1673063164.6537.1724964124887@localhost>

index | next in thread | previous in thread | raw e-mail


[-- Attachment #1 --]
On Thu, Aug 29, 2024 at 10:42 PM Ronald Klop <ronald-lists@klop.ws> wrote:

> Hi,
>
> When I read the CVE documents they mention that these are about Firefox
> for iOS.
> The advisory page of Mozilla also talks about Firefox for iOS.
> https://www.mozilla.org/en-US/security/advisories/mfsa2024-36/
>
> So I doubt that this is applicable to the FreeBSD package. But you might
> know things I don't know.
>

You're right, it seems those are only for iOS.
They should have been discarded along CVE-2024-7523...

I'll revert the commit and commit the pending CVEs:
CVE-2024-0745
CVE-2024-6608
CVE-2024-6609
CVE-2024-6610
CVE-2024-7524

Thanks for the heads up.

>
> Regards,
> Ronald.
>
>
>
> *Van:* "Fernando Apesteguía" <fernape@FreeBSD.org>
> *Datum:* donderdag, 29 augustus 2024 19:47
> *Aan:* ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
> dev-commits-ports-main@FreeBSD.org
> *Onderwerp:* git: 4453cf7eef05 - main - security/vuxml: Record firefox
> multiple vulnerabilites
>
> The branch main has been updated by fernape:
>
> URL:
> https://cgit.FreeBSD.org/ports/commit/?id=4453cf7eef05f9ac2b27bda7a87afb7da713f1c4
>
> commit 4453cf7eef05f9ac2b27bda7a87afb7da713f1c4
> Author:     Fernando Apesteguía <fernape@FreeBSD.org>
> AuthorDate: 2024-08-29 17:43:33 +0000
> Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
> CommitDate: 2024-08-29 17:47:42 +0000
>
>     security/vuxml: Record firefox multiple vulnerabilites
>
>     CVE-2024-43111
>      * Base Score:  6.1 MEDIUM
>      * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
>
>     CVE-2024-43112
>      * Base Score:  6.1 MEDIUM
>      * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
>
>     CVE-2024-43113
>      * Base Score:  6.1 MEDIUM
>      * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
> ---
>  security/vuxml/vuln/2024.xml | 39 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
>
> diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
> index 7dd64a18968f..e9606c88bfca 100644
> --- a/security/vuxml/vuln/2024.xml
> +++ b/security/vuxml/vuln/2024.xml
> @@ -1,3 +1,42 @@
> +  <vuln vid="44de1b82-662d-11ef-a51b-b42e991fc52e">
> +    <topic>firefox -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +   <name>firefox</name>
> +   <range><lt>129</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +   <bodyhttp://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml">;
> +   <p>security@mozilla.org reports:</p>
> +   <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1874964
> ">
> +     <p>This update includes 3 CVEs:</p>
> +       <ul>
> +         <li>The contextual menu for links could provide an
> +       opportunity for cross-site scripting attacks.</li>
> +         <li>Long pressing on a download link could potentially
> +       provide a means for cross-site scripting.</li>
> +         <li>Long pressing on a download link could potentially
> +       allow Javascript commands to be executed within the
> +       browser.</li>
> +   </ul>
> +   </blockquote>
> +   </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2024-43113</cvename>
> +      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-43113</url>;
> +      <cvename>CVE-2024-43112</cvename>
> +      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-43112</url>;
> +      <cvename>CVE-2024-43111</cvename>
> +      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-43111</url>;
> +    </references>
> +    <dates>
> +      <discovery>2024-08-06</discovery>
> +      <entry>2024-08-29</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="6f2545bb-65e8-11ef-8a0f-a8a1599412c6">
>      <topic>chromium -- multiple security fixes</topic>
>      <affects>
> ------------------------------
>
>
>
>

[-- Attachment #2 --]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 29, 2024 at 10:42 PM Ronald Klop &lt;<a href="mailto:ronald-lists@klop.ws">ronald-lists@klop.ws</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi,<br>
<br>
When I read the CVE documents they mention that these are about Firefox for iOS.<br>
The advisory page of Mozilla also talks about Firefox for iOS.<br>
<a href="https://www.mozilla.org/en-US/security/advisories/mfsa2024-36/" target="_blank">https://www.mozilla.org/en-US/security/advisories/mfsa2024-36/</a><br>;
<br>
So I doubt that this is applicable to the FreeBSD package. But you might know things I don&#39;t know.<br></div></blockquote><div><br></div><div>You&#39;re right, it seems those are only for iOS.</div><div>They should have been discarded along CVE-2024-7523...</div><div><br></div><div>I&#39;ll revert the commit and commit the pending CVEs:</div><div>CVE-2024-0745</div><div>CVE-2024-6608</div><div>CVE-2024-6609</div><div>CVE-2024-6610</div><div>CVE-2024-7524</div><div> </div><div>Thanks for the heads up.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<br>
Regards,<br>
Ronald.<br>
<br>
 
<p><b>Van:</b> &quot;Fernando Apesteguía&quot; &lt;fernape@FreeBSD.org&gt;<br>
<b>Datum:</b> donderdag, 29 augustus 2024 19:47<br>
<b>Aan:</b> ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org<br>
<b>Onderwerp:</b> git: 4453cf7eef05 - main - security/vuxml: Record firefox multiple vulnerabilites</p>

<blockquote style="padding-right:0px;padding-left:5px;margin-left:5px;border-left:2px solid rgb(0,0,0);margin-right:0px">
<div id="m_2438876645244164614P">
<div id="m_2438876645244164614P.P">The branch main has been updated by fernape:<br>
<br>
URL: <a href="https://cgit.FreeBSD.org/ports/commit/?id=4453cf7eef05f9ac2b27bda7a87afb7da713f1c4" target="_blank">https://cgit.FreeBSD.org/ports/commit/?id=4453cf7eef05f9ac2b27bda7a87afb7da713f1c4</a><br>;
<br>
commit 4453cf7eef05f9ac2b27bda7a87afb7da713f1c4<br>
Author:     Fernando Apesteguía &lt;fernape@FreeBSD.org&gt;<br>
AuthorDate: 2024-08-29 17:43:33 +0000<br>
Commit:     Fernando Apesteguía &lt;fernape@FreeBSD.org&gt;<br>
CommitDate: 2024-08-29 17:47:42 +0000<br>
<br>
    security/vuxml: Record firefox multiple vulnerabilites<br>
    <br>
    CVE-2024-43111<br>
     * Base Score:  6.1 MEDIUM<br>
     * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br>
    <br>
    CVE-2024-43112<br>
     * Base Score:  6.1 MEDIUM<br>
     * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br>
    <br>
    CVE-2024-43113<br>
     * Base Score:  6.1 MEDIUM<br>
     * Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br>
---<br>
 security/vuxml/vuln/2024.xml | 39 +++++++++++++++++++++++++++++++++++++++<br>
 1 file changed, 39 insertions(+)<br>
<br>
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml<br>
index 7dd64a18968f..e9606c88bfca 100644<br>
--- a/security/vuxml/vuln/2024.xml<br>
+++ b/security/vuxml/vuln/2024.xml<br>
@@ -1,3 +1,42 @@<br>
+  &lt;vuln vid=&quot;44de1b82-662d-11ef-a51b-b42e991fc52e&quot;&gt;<br>
+    &lt;topic&gt;firefox -- multiple vulnerabilities&lt;/topic&gt;<br>
+    &lt;affects&gt;<br>
+      &lt;package&gt;<br>
+   &lt;name&gt;firefox&lt;/name&gt;<br>
+   &lt;range&gt;&lt;lt&gt;129&lt;/lt&gt;&lt;/range&gt;<br>
+      &lt;/package&gt;<br>
+    &lt;/affects&gt;<br>
+    &lt;description&gt;<br>
+   &lt;bodyhttp://<a href="http://www.w3.org/1999/xhtml" target="_blank">www.w3.org/1999/xhtml</a>&quot;&gt;<a href="http://www.w3.org/1999/xhtml" target="_blank">http://www.w3.org/1999/xhtml</a>&quot;&gt;<br>;
+   &lt;p&gt;<a href="mailto:security@mozilla.org" target="_blank">security@mozilla.org</a> reports:&lt;/p&gt;<br>
+   &lt;blockquote cite=&quot;<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1874964" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=1874964</a>&quot;&gt;<br>;
+     &lt;p&gt;This update includes 3 CVEs:&lt;/p&gt;<br>
+       &lt;ul&gt;<br>
+         &lt;li&gt;The contextual menu for links could provide an<br>
+       opportunity for cross-site scripting attacks.&lt;/li&gt;<br>
+         &lt;li&gt;Long pressing on a download link could potentially<br>
+       provide a means for cross-site scripting.&lt;/li&gt;<br>
+         &lt;li&gt;Long pressing on a download link could potentially<br>
+       allow Javascript commands to be executed within the<br>
+       browser.&lt;/li&gt;<br>
+   &lt;/ul&gt;<br>
+   &lt;/blockquote&gt;<br>
+   &lt;/body&gt;<br>
+    &lt;/description&gt;<br>
+    &lt;references&gt;<br>
+      &lt;cvename&gt;CVE-2024-43113&lt;/cvename&gt;<br>
+      &lt;url&gt;<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-43113%3C/url" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-43113&lt;/url</a>&gt;<br>;
+      &lt;cvename&gt;CVE-2024-43112&lt;/cvename&gt;<br>
+      &lt;url&gt;<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-43112%3C/url" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-43112&lt;/url</a>&gt;<br>;
+      &lt;cvename&gt;CVE-2024-43111&lt;/cvename&gt;<br>
+      &lt;url&gt;<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-43111%3C/url" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-43111&lt;/url</a>&gt;<br>;
+    &lt;/references&gt;<br>
+    &lt;dates&gt;<br>
+      &lt;discovery&gt;2024-08-06&lt;/discovery&gt;<br>
+      &lt;entry&gt;2024-08-29&lt;/entry&gt;<br>
+    &lt;/dates&gt;<br>
+  &lt;/vuln&gt;<br>
+<br>
   &lt;vuln vid=&quot;6f2545bb-65e8-11ef-8a0f-a8a1599412c6&quot;&gt;<br>
     &lt;topic&gt;chromium -- multiple security fixes&lt;/topic&gt;<br>
     &lt;affects&gt;</div>

<hr></div>
</blockquote>
<br>
 </div></blockquote></div></div>

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGwOe2Z8b%2B11dSVgRmXFTSND_PmcvJJ9CYdd9qWffWEhsCmefw>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation