Site Navigation

Date:      Tue, 20 Sep 2016 17:01:30 +0000 (UTC)
From:      Jan Beich <jbeich@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r422522 - head/security/vuxml
Message-ID:  <201609201701.u8KH1Uh7002489@repo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: jbeich
Date: Tue Sep 20 17:01:30 2016
New Revision: 422522
URL: https://svnweb.freebsd.org/changeset/ports/422522

Log:
  Document recent Firefox vulnerabilities

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Sep 20 17:00:58 2016	(r422521)
+++ head/security/vuxml/vuln.xml	Tue Sep 20 17:01:30 2016	(r422522)
@@ -58,6 +58,86 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="2c57c47e-8bb3-4694-83c8-9fc3abad3964">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>49.0,1</lt></range>
+      </package>
+      <package>
+	<name>seamonkey</name>
+	<name>linux-seamonkey</name>
+	<range><lt>2.46</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>45.4.0,1</lt></range>
+      </package>
+      <package>
+	<name>linux-firefox</name>
+	<range><lt>45.4.0,2</lt></range>
+      </package>
+      <package>
+	<name>libxul</name>
+	<name>thunderbird</name>
+	<name>linux-thunderbird</name>
+	<range><lt>45.4.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Mozilla Foundation reports:</p>
+	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/">;
+	  <p>CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]</p>
+	  <p>CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]</p>
+	  <p>CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]</p>
+	  <p>CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]</p>
+	  <p>CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]</p>
+	  <p>CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]</p>
+	  <p>CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]</p>
+	  <p>CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]</p>
+	  <p>CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]</p>
+	  <p>CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]</p>
+	  <p>CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]</p>
+	  <p>CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]</p>
+	  <p>CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]</p>
+	  <p>CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]</p>
+	  <p>CVE-2016-5281 - use-after-free in DOMSVGLength [high]</p>
+	  <p>CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]</p>
+	  <p>CVE-2016-5283 - &lt;iframe src&gt; fragment timing attack can reveal cross-origin data [high]</p>
+	  <p>CVE-2016-5284 - Add-on update site certificate pin expiration [high]</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-2827</cvename>
+      <cvename>CVE-2016-5256</cvename>
+      <cvename>CVE-2016-5257</cvename>
+      <cvename>CVE-2016-5270</cvename>
+      <cvename>CVE-2016-5271</cvename>
+      <cvename>CVE-2016-5272</cvename>
+      <cvename>CVE-2016-5273</cvename>
+      <cvename>CVE-2016-5274</cvename>
+      <cvename>CVE-2016-5275</cvename>
+      <cvename>CVE-2016-5276</cvename>
+      <cvename>CVE-2016-5277</cvename>
+      <cvename>CVE-2016-5278</cvename>
+      <cvename>CVE-2016-5279</cvename>
+      <cvename>CVE-2016-5280</cvename>
+      <cvename>CVE-2016-5281</cvename>
+      <cvename>CVE-2016-5282</cvename>
+      <cvename>CVE-2016-5283</cvename>
+      <cvename>CVE-2016-5284</cvename>
+      <url>https://www.mozilla.org/security/advisories/mfsa2016-85/</url>;
+      <url>https://www.mozilla.org/security/advisories/mfsa2016-86/</url>;
+    </references>
+    <dates>
+      <discovery>2016-09-13</discovery>
+      <entry>2016-09-20</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="653a8059-7c49-11e6-9242-3065ec8fd3ec">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>
@@ -537,6 +617,11 @@ Notes:
 	<range><lt>48.0,1</lt></range>
       </package>
       <package>
+	<name>seamonkey</name>
+	<name>linux-seamonkey</name>
+	<range><lt>2.45</lt></range>
+      </package>
+      <package>
 	<name>firefox-esr</name>
 	<range><lt>45.3.0,1</lt></range>
       </package>
@@ -653,6 +738,7 @@ Notes:
     <dates>
       <discovery>2016-08-02</discovery>
       <entry>2016-09-07</entry>
+      <modified>2016-09-20</modified>
     </dates>
   </vuln>
 

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609201701.u8KH1Uh7002489>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact